- From: <bugzilla@jessica.w3.org>
- Date: Sat, 10 Nov 2012 16:51:19 +0000
- To: public-webapps-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=19562
Sooel Son <sonpostman@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |sonpostman@gmail.com
--- Comment #2 from Sooel Son <sonpostman@gmail.com> ---
I found that simple code from the previous thread (bug 15409)
Therefore, I like to ask you a question about the following code instance.
var shadows = new WeakMap();
(function () {
var realCtor = ShadowRoot;
ShadowRoot = function (host) {
var shadow = realCtor(host);
var hostShadows = shadows.get(host);
if (!hostShadows) {
hostShadows = [];
shadows.set(host, hostShadows);
}
hostShadows.push(shadow);
return shadow;
};
})();
JavaScript closure can hide a shadow root instance from the hosting page or
other scripts running on the same orgin. However, because the hosting page can
redefine ShadowRoot, the shadow root can be accessible to other scripts via the
following code.
window.ShadowRoot = function(e) {
window.hook_shadowRoots.push(e);
e = new ShadowRoot(e);
}
I understand that Shadow DOM does not provide security isolated environment.
However, it can be used at hiding DOM elements even from the same origin with
the help of JavaScript closure.
My question is simple. Is it possible? or There is no plan at all to support
this scheme.
--
You are receiving this mail because:
You are the QA Contact for the bug.
Received on Saturday, 10 November 2012 16:51:21 UTC