- From: Eduardo Robles Elvira <edulix@agoravoting.com>
- Date: Tue, 1 Jul 2014 10:22:10 +0200
- To: "Eduardo' Vela" <evn@google.com>
- Cc: public-webappsec@w3.org
On Mon, Jun 30, 2014 at 6:00 PM, Eduardo' Vela" <Nava> <evn@google.com> wrote: > ShadowDOM used to have security properties but they got removed (not sure > why, but when I took a look it was easy to work around them). > > It seems like this proposal is just iframes anyway right? Or how are the > isolated components different from iframes? Hello Eduardo: It's true that this has some resemblance to iframes, in the idea of having a shadow dom that is not accessible. Other than that, the only resemblance is the resemblance between iframes and web components. One could also ask, how are web components different from iframes, in general? You don't want to use an iframe instead of a web component. You might have a web component being used multiple times in a single webpage, like for showing dates in github. And in that case you wouldn't use an iframe, would you? The proposal I made includes web component pinning and interation with the security features of the web browser. The idea of isolated web components is to be the equivalent of SSL for end-to-end user security. If browsers had isolated web-components, Google wouldn't have created "end-to-end" [1] as a chrome extension - it could have made it available in Gmail Labs as an isolated web component - that would work in multiple web browsers and have the same level of security. That's the real power of web components in isolation - and because such a thing cannot be currently done, that's why I think we need it. Regards, Eduardo
Received on Tuesday, 1 July 2014 08:23:08 UTC