- From: Ryosuke Niwa <notifications@github.com>
- Date: Thu, 26 Mar 2020 19:22:44 -0700
- To: w3c/webcomponents <webcomponents@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 27 March 2020 02:22:59 UTC
> > in which case, someone else can attach a shadow root, or worse yet, anyone can access to template's content and have reference to those nodes. > > Declarative shadow roots are necessarily a cooperative construct - the generator of the shadow root and the element have to coordinate - and I'm definitely not worried about breaking encapsulation this way. Breaking encapsulation in this scenario would definitely be a show stopper for us. > A component will _have_ to opt-in to SSR somehow and have to trust the declarative SR contents. If a component author is worried that there will somehow be an attack via declarative SR, then they should not support it, ie, it should throw when they call `attachShadow` as it does now. This is not about the malicious case of something attacking since there is no security boundary right now. However, it's very easy for some residual script on a page to start accessing random nodes via MutationObserver, etc... -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/webcomponents/issues/871#issuecomment-604780767
Received on Friday, 27 March 2020 02:22:59 UTC