Component Model is not an Isolation Model from Dimitri Glazkov on 2011-03-10 (public-webapps@w3.org from January to March 2011)

From: Dimitri Glazkov <dglazkov@chromium.org>
Date: Wed, 9 Mar 2011 16:30:28 -0800
To: public-webapps <public-webapps@w3.org>
Message-ID: <AANLkTik1USpaF7KuSfW2DACmmrRcf2JCr9_hrQnnNqzn@mail.gmail.com>

Greetings, fellow Web-Platform-o-nauts,

Summary: We need a proper Isolation Model for the Web. Component Model ain't it.

Art's email prodded me to condensate some of brain ether accumulated
while looking at the use cases. Here's some for ya.

After a productive discussion with the Caja folks and some
soul-searching, it appears that we should stay away from attempting to
conflate isolation properties (such as origin restrictions or
bullet-proof DOM membranes) from the component model properties (such
as encapsulation and behavior attachment).

>From the perspective of the component, the isolation is unfairly
punishing -- you can't use the outside DOM or even DOM element on
which you're hoisted, you can't add methods to it, and you have to
always imagine the membrane in order to build a proper mental model of
what the heck you're trying to accomplish.

>From the perspective of the document, the isolation is too fiddly:
it's rare that the level of isolation at the _individual_ component
level is what's actually necessary. More likely, the isolation scope
extends over a set of controls, a theme or just a pile of code. Having
components isolated independently is unnecessarily complex and
difficult to manage. Isolating components in bunches (a-la XBL
documents) is also suboptimal, because it conflates modularity of
controls with isolation boundaries.

Moreover, after looking at Caja primitives, it was easy to surmise
that as long as the component model API has a sound (i.e. non-crazy)
design, its security/isolation can be:
a) teased apart cleanly from the requirements of the component model;
b) spec'd and implemented separately.

This means that use cases
http://wiki.whatwg.org/wiki/Component_Model_Use_Cases#Using_Shadow_DOM_Boundary_for_Isolation
are not going to be addressed by the component model alone.

However, it does _not_ mean that we shouldn't prioritize development
of a proper isolation model. We merely should recognize that isolation
and encapsulation are two different things.

:DG<

Received on Thursday, 10 March 2011 00:30:57 UTC