- From: Isiah Meadows <notifications@github.com>
- Date: Thu, 12 Oct 2017 12:30:38 +0000 (UTC)
- To: w3c/webcomponents <webcomponents@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 12 October 2017 12:31:02 UTC
@mrmr1993 > This is not something the shadow DOM was created for, and it doesn't give any guarantees of security. > [quote...] Would using a local, unexposed weakmap mitigate that? > This is also a problem with (session) cookies, etc. A properly set CSP is the way to make these guarantees. If you are MITM-ed, game over anyway. Very true, especially if they catch you establishing the initial connection (as ISPs have been known to do). The only way you can really hope to side-step it at all is through dedicated protocols like Signal. > Shadow DOM may help in this way, but it's not the intention of the design, and I don't think it's a good argument for closed shadow DOMs. Agreed, and it's like trying to apply duck tape to a broken structural support. Maybe 1% of the time, it actually works, but the other 99% of the time, you've got bigger problems than just that one break. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/webcomponents/issues/640#issuecomment-336117365
Received on Thursday, 12 October 2017 12:31:02 UTC