Re: [w3c/webcomponents] Generic programs can't reliably use/manipulate documents via the DOM (#640) from Matthew Ryan on 2017-10-12 (public-webapps-github@w3.org from October 2017)

From: Matthew Ryan <notifications@github.com>
Date: Thu, 12 Oct 2017 13:27:30 +0000 (UTC)
To: w3c/webcomponents <webcomponents@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/webcomponents/issues/640/336136502@github.com>

> Would using a local, unexposed weakmap mitigate that?

@isiahmeadows Using it for what? My instinct is no: closed shadow DOM creation can be circumvented (depending on order of script execution), and it is easy to leak the shadow root, intentionally or not. Obviously, if your code is careful and you can ensure that no XSS script can run before you get your reference to `Element.prototype.attachShadow`, then the (IMO harmful) behaviour of closed shadow roots should be as specified.

I'll leave the rest of your comment; I don't think this is the place to discuss network vulnerabilities/mitigations.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webcomponents/issues/640#issuecomment-336136502

Received on Thursday, 12 October 2017 13:28:03 UTC