- From: James Browning <notifications@github.com>
- Date: Sun, 11 Apr 2021 22:25:35 -0700
- To: WICG/webcomponents <webcomponents@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 12 April 2021 05:25:48 UTC
> Well even in the DSD case, how does the author know that the DSD root is own by their framework, and not just some random shadow root some user arbitrarily added into the DOM? Seems like always overwriting content is the safe way to go (but not best for performance due to always re-creating everything). This is unknowable, but at the end of day they could as easily mess with your component in a plenty of ways e.g. they could override `.attachShadow` or just generally modify your components code. If it's served from first-party you might as well just implement under the assumption it's correct, because they can freely break it if they want to and you can't stop them. Although if your component is loaded as a third-party component (e.g. like a social media button or whatever), then yeah probably best to distrust the shadow root (and still even then, they could just download a copy of the script and modify it, so there's really no winning here). What I'll probably do is just assume that the component is used correctly, and maybe have a couple basic assertions on things to verify that the wrong thing isn't done and leave it at that. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/WICG/webcomponents/issues/914#issuecomment-817490869
Received on Monday, 12 April 2021 05:25:48 UTC