[Bug 17761] Consider a src/href-like attribute for easy integration? from bugzilla@jessica.w3.org on 2015-02-24 (public-webapps-bugzilla@w3.org from February 2015)

From: <bugzilla@jessica.w3.org>
Date: Tue, 24 Feb 2015 00:44:35 +0000
To: public-webapps-bugzilla@w3.org
Message-ID: <bug-17761-2532-5RghWya5i8@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=17761

Travis Leithead [MSFT] <travil@microsoft.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |travil@microsoft.com

--- Comment #1 from Travis Leithead [MSFT] <travil@microsoft.com> ---
+1

Firstly, I believe the success of the <iframe> is largely due to its
simplicity--just set src to a URL and done--the component loads. Doing this
declaratively also lends to its ease-of-use. What we have going with web
components is not an iframe of course, but by now we have a well-understood
notion of what the pieces are: a shadow dom, a custom element and its binding,
and imports. These are great imperative mechanisms. I think we are ready for
the next step--the declarative part, and that this will start to tie it all
together and bring web components forward independently of script libraries.

I'm decidedly in favor of stronger component isolation. There is much more that
can be secured and guaranteed if the component and its internals are more
isolated. Using a URL directly from the host element to load a component seems
like the most direct mechanism to rally around to provide that isolation. I'm
not saying that the components need the same isolation as provided by <iframe>,
but using a URL closely associated with the host element on which the component
is loaded makes it much more direct to initially flag things like style,
script, and document markup access/isolation, since you might not require
script to get things setup using today's defined primitives.

I see the ShadowRoot as an object that looks a lot like the gateway to a
component, but which lacks any of the access-control mechanics because it is
always at the mercy of the host. A URL model would [in theory] be able to bring
a ShadowRoot into existence with appropriate access control. Otherwise, you
have to somehow convey the <link rel=import>'s URL-based restrictions into all
created components, which is possible, but seems overly complicated.

Such a proposal to use a URL to directly load a component's shadow dom does
require a bit of tweaking of some existing ideas. For example, it might need to
bring some of custom elements's binding mechanisms into place for the host
element (or how does the component interface/create the host OM?).

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Tuesday, 24 February 2015 00:44:39 UTC