- From: <bugzilla@jessica.w3.org>
- Date: Tue, 24 Feb 2015 00:44:35 +0000
- To: public-webapps-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=17761 Travis Leithead [MSFT] <travil@microsoft.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |travil@microsoft.com --- Comment #1 from Travis Leithead [MSFT] <travil@microsoft.com> --- +1 Firstly, I believe the success of the <iframe> is largely due to its simplicity--just set src to a URL and done--the component loads. Doing this declaratively also lends to its ease-of-use. What we have going with web components is not an iframe of course, but by now we have a well-understood notion of what the pieces are: a shadow dom, a custom element and its binding, and imports. These are great imperative mechanisms. I think we are ready for the next step--the declarative part, and that this will start to tie it all together and bring web components forward independently of script libraries. I'm decidedly in favor of stronger component isolation. There is much more that can be secured and guaranteed if the component and its internals are more isolated. Using a URL directly from the host element to load a component seems like the most direct mechanism to rally around to provide that isolation. I'm not saying that the components need the same isolation as provided by <iframe>, but using a URL closely associated with the host element on which the component is loaded makes it much more direct to initially flag things like style, script, and document markup access/isolation, since you might not require script to get things setup using today's defined primitives. I see the ShadowRoot as an object that looks a lot like the gateway to a component, but which lacks any of the access-control mechanics because it is always at the mercy of the host. A URL model would [in theory] be able to bring a ShadowRoot into existence with appropriate access control. Otherwise, you have to somehow convey the <link rel=import>'s URL-based restrictions into all created components, which is possible, but seems overly complicated. Such a proposal to use a URL to directly load a component's shadow dom does require a bit of tweaking of some existing ideas. For example, it might need to bring some of custom elements's binding mechanisms into place for the host element (or how does the component interface/create the host OM?). -- You are receiving this mail because: You are the QA Contact for the bug.
Received on Tuesday, 24 February 2015 00:44:39 UTC