Re: [w3c/webcomponents] document.currentScript from a script in a shadow tree. (#477) from Domenic Denicola on 2016-04-04 (public-webapps-github@w3.org from April 2016)

From: Domenic Denicola <notifications@github.com>
Date: Sun, 03 Apr 2016 22:19:46 -0700
To: w3c/webcomponents <webcomponents@noreply.github.com>
Message-ID: <w3c/webcomponents/issues/477/205141098@github.com>

Worrying about escape via shadow scripts calling non-shadow scripts seems similar to the many worries people have about closed shadow roots not being closed enough. (E.g., you can modify the running of script in those by overriding getters or setters on `Object.prototype` to inject your own logic.) The way to solve those kind of concerns is some kind of isolated scripting environment, in some subsequent "isolated shadow trees" proposal. But for open and closed shadow trees, I don't think it's worth trying to restrict. So I also support 1.

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webcomponents/issues/477#issuecomment-205141098

Received on Monday, 4 April 2016 05:20:13 UTC