Re: [w3c/webcomponents] Generic programs can't reliably use/manipulate documents via the DOM (#640) from Matthew Ryan on 2017-05-16 (public-webapps-github@w3.org from May 2017)

From: Matthew Ryan <notifications@github.com>
Date: Tue, 16 May 2017 06:47:47 -0700
To: w3c/webcomponents <webcomponents@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/webcomponents/issues/640/301787548@github.com>

> This is why it's very important for each component to opt-in to whatever polyfill or library each page is importing. The idea of automatically enhancing an arbitrary component written by a third party quickly fails in practice.

This seems to be the only point where we're not looping around the same arguments.

Why is it very important for each *component* to do this? Sometimes it will be what the page author intends and wants; other times not. Can we not find a compromise where the page author gets to decide which scripts can and can't access which shadow DOMs? Then, developers have a clear idea of what might break if/when a component is updated, and what will not.

For example, would there be any issues with extending the script tag so that:
* `<script ... shadow-dom="true">` allows the script it includes (and any execution it spawns, such as `eval`s, event listeners, etc.) to access shadow DOMs;
* `<script ... shadow-dom="false">` does not give the script any shadow DOM access (under the same conditions);
- it should also likely restrict scripts it imports to `shadow-dom="false"`
* possibly `<script ... shadow-dom="request">`, which eg. dispatches an event on the shadow host on `.shadowRoot` accesses that scripts with `shadow-dom=true` can catch (`event.relatedTarget` perhaps being the script element), denying access using `event.preventDefault()`?
- it should also likely convert scripts it imports from `shadow-dom="true"` to `shadow-dom="request"`

Adding a `with {shadowDom: "true" | "false" | "request"}` to the spec. for ECMAScript 6 `imports` could easily provide the same for those. I also think that a default to `false` for all scripts would be reasonable in this case, for the reassurances it provides.

The major issue I have with closed shadow DOMs is that the decision is made piecemeal, by the developer of each component, and (necessarily) without the complete information of their interactions with each author's document. Giving this control to the author at the script level would seem to give the assurances *and* flexibility that we want between us.

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webcomponents/issues/640#issuecomment-301787548

Received on Tuesday, 16 May 2017 13:48:19 UTC