[webcomponents] [Shadow]: Add "closed" flag to createShadowRoot (bugzilla: 20144) (#100) from Hayato Ito on 2015-05-25 (public-webapps-github@w3.org from May 2015)

From: Hayato Ito <notifications@github.com>
Date: Mon, 25 May 2015 01:51:55 -0700
To: w3c/webcomponents <webcomponents@noreply.github.com>
Message-ID: <w3c/webcomponents/issues/100@github.com>
Title: [Shadow]: Add "closed" flag to createShadowRoot (bugzilla: 20144)

Migrated from: https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144

----
comment: 0
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144#c0
*Dimitri Glazkov* wrote on 2012-11-28 22:59:01 +0000.

A tree created with this flag set to true will not appear in the shadow DOM traversal API.

----

comment: 1
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144#c1
*Dimitri Glazkov* wrote on 2012-11-28 23:01:52 +0000.

It seems that having a distinction of a "private" shadow tree is a misnomer, possibly giving the author a false hope that their shadow tree is somehow protected from a motivated owner of the document. Unfortunately, that's not the case -- the document can easily override and capture all shadow trees created, thus killing the shadow author's illusion of privacy.

----

comment: 2
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144#c2
*Dominic Cooney* wrote on 2013-04-25 04:54:09 +0000.

This public-webapps thread is informative: <http://lists.w3.org/Archives/Public/public-webapps/2013JanMar/0800.html>

----

comment: 3
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144#c3
*Edward O'Connor* wrote on 2014-02-07 23:23:01 +0000.

So, any progress on this?

(I'm not sure if you are using Bugzilla's Importance field; if so, I bumped this up to P1 given recent discussions.)

----

comment: 4
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144#c4
*Dimitri Glazkov* wrote on 2014-02-11 23:28:09 +0000.

(In reply to Edward O'Connor from comment #3)
> So, any progress on this?

Not yet. But it's still on the radar.

BTW, this should also disable access via relevant CSS selectors (http://dev.w3.org/csswg/shadow-styling/).

----

comment: 5
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144#c5
*Maciej Stachowiak* wrote on 2014-02-12 01:18:08 +0000.

Suggestion: how about instead of private vs public, the flag is "open" vs "closed"? That won't unduly promise security isolation. Then a hypothetical third truly secure mode could be called "secure" or "sandboxed" and it would be consistent.

----

comment: 6
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144#c6
*Dimitri Glazkov* wrote on 2014-02-13 21:47:01 +0000.

This public-webapps thread is informative: http://lists.w3.org/Archives/Public/public-webapps/2014JanMar/thread.html#msg217

----

comment: 7
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144#c7
*brian kardell* wrote on 2014-02-24 19:56:55 +0000.

It seems to me that there are different concerns you might talk about, not entirely unlike sandboxed iframes.  Shadow DOM (as currently) provides a nice simple membrane to keep lots of accidental things from going wrong, but can be easily traversed into/pierced and doesn't get a separate execution context or anything special.  If we had a ::parts concept it would be useful to explain what that means in terms of CSS and DOM boundaries, etc.

Is it possible to consider, instead of a flag, that a shadow root has a set of properties (which I hope default to what they currently are in canary, personally).  This would probably help explain things in the platform even if we never entirely enable them in author space, if you see what I am saying.

----

comment: 8
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144#c8
*Hayato Ito* wrote on 2014-11-19 04:49:40 +0000.

*** Bug 16509 has been marked as a duplicate of this bug. ***

----

comment: 9
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144#c9
*Hayato Ito* wrote on 2015-02-10 08:44:08 +0000.

Let me change the subject of this bug since I am feeling that we tend to use 'closed' rather than 'private'.

----

comment: 10
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144#c10
*Hayato Ito* wrote on 2015-02-10 08:48:29 +0000.

*** Bug 23134 has been marked as a duplicate of this bug. ***

----

comment: 11
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144#c11
*Dylan Barrell* wrote on 2015-03-10 21:47:48 +0000.

(In reply to Hayato Ito from comment #10)
> *** Bug 23134 has been marked as a duplicate of this bug. ***

Please consider my concerns raised in this comment https://www.w3.org/Bugs/Public/show_bug.cgi?id=27775#c11

----

comment: 12
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144#c12
*Maciej Stachowiak* wrote on 2015-04-22 01:26:46 +0000.

It looks like 'closed' mode has been added to the spec, but not yet a way to enter it (this bug) or a spec of its behavior (bug 27775).

----

comment: 13
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144#c13
*Hayato Ito* wrote on 2015-04-22 16:54:29 +0000.

The status of the behavior of the closed mode is still WIP. There are still remaining tasks. I have to address how event.path() should work for closed shadow trees further at least.

What's the more important is that we don't have a clear idea how open / closed interact in multiple shadow trees. I'm still investigating.

----

comment: 14
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144#c14
*Maciej Stachowiak* wrote on 2015-04-22 17:00:48 +0000.

Does adding a parameter to createShadowRoot() require solving all those problems first?

----

comment: 15
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144#c15
*Hayato Ito* wrote on 2015-04-22 17:07:36 +0000.

(In reply to Maciej Stachowiak from comment #14)
> Does adding a parameter to createShadowRoot() require solving all those
> problems first?

Good question. No. This bug shouldn't depends on bug 27775 strictly in terms of the spec. We can do in parallel!

Let's move this bug forward.

I think the proposal so far is to make createShadowRoot() can take one optional dictionary, such as:

- createShadowRoot({'mode': [closed/open]})

Is there any other proposal?

----

comment: 16
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144#c16
*Hayato Ito* wrote on 2015-04-22 17:09:55 +0000.

Unless there is any other proposal, let's me spec that tentatively.

----

comment: 17
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144#c17
*Hayato Ito* wrote on 2015-04-22 18:13:40 +0000.

Done tentatively at https://github.com/w3c/webcomponents/commit/7be4645926583dba2a3b137609885b3c4ee4205f.

I appreciate any feedbacks.

----

comment: 18
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144#c18
*Maciej Stachowiak* wrote on 2015-04-23 21:52:57 +0000.

Looks like a good starting point for the API. Thanks! I think the remaining issues are captured in bug 27775 (to define the behavior) and bug 28445 (to determine the default) so I think it would be reasonable to close this bug now.

----

comment: 19
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144#c19
*Hayato Ito* wrote on 2015-04-27 03:03:50 +0000.

Let me reopen this.
Now ShadowRootInit should be mandatory.

----

comment: 20
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144#c20
*Domenic Denicola* wrote on 2015-04-27 03:50:46 +0000.

There is also the issue of naming. At the F2F many people were saying that "closed" vs. "open" is not a good name for this because the existing mode is fairly closed already.

I offer { censored: true }/{censored: false } since its primary function is to censor shadowRoot, deepPath, and any other future properties.

----

comment: 21
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144#c21
*Anne* wrote on 2015-04-27 08:03:00 +0000.

How about visible/hidden/isolated?

----

comment: 22
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144#c22
*Olli Pettay* wrote on 2015-04-27 17:06:39 +0000.

censored doesn't really say much, IMO.

visible, hidden, isolated - I think I like that.

(better than public/protected/private)

----

comment: 23
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144#c23
*Domenic Denicola* wrote on 2015-04-27 17:09:12 +0000.

"visible" still doesn't seem correct. Unless you are using visible to refer to the light DOM, and hidden is { closed: true }?

----

comment: 24
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144#c24
*Olli Pettay* wrote on 2015-04-27 17:13:42 +0000.

"visible" when passed to createShadowRoot() quite naturally hints that the
created shadow root is visible to the outside users, no?

----

comment: 25
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144#c25
*Domenic Denicola* wrote on 2015-04-27 17:18:12 +0000.

No, to me it hints that the resulting DOM is visible like normal DOM is, not that it's hidden from CSS selectors and from access without the .shadowRoot indirection.

I think if we want a spectrum of terms we need to have it include light DOM at one end. E.g.

- Light DOM: visible
- Shadow DOM: shadow
- Shadow DOM, censored access: hidden
- Shadow DOM, isolated global: isolated

----

comment: 26
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144#c26
*Domenic Denicola* wrote on 2015-04-27 17:19:45 +0000.

Sorry, to clarify: I just want some straightforward terminology. We of course wouldn't allow .createShadowRoot({ mode: 'visible' }) in my scheme. I just want to talk about what mode a subtree is in and have a word for what mode it's in when there's no shadowey stuff going on.

---
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webcomponents/issues/100
Received on Monday, 25 May 2015 08:53:09 UTC