- From: Elliott Sprehn <esprehn@gmail.com>
- Date: Thu, 8 Nov 2012 09:28:22 -0800
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: Dimitri Glazkov <dglazkov@chromium.org>, Dominic Cooney <dominicc@chromium.org>, public-webapps <public-webapps@w3.org>
- Message-ID: <CAPJYB1i0_=85nnQGSr6TovLCG_6Cc6qOh3UMYRER_4ZPH1Zdhw@mail.gmail.com>
On Thu, Nov 8, 2012 at 8:13 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > On 11/8/12 1:45 AM, Elliott Sprehn wrote: > >> That means that I >> doubt you'll get widgets being broken as Boris suggests because people >> aren't going to accidentally modify the inside of your widget. >> > > The problems start when people _maliciously_ modify the inside of your > widget. Again, with XBL you don't get to accidentally modify the insides > of anonymous content (shadow) trees. But there were all sorts of attack > scenarious where people could modify them at all. If you're worried about malicious attacks on your widget, shadows being private is not enough. You need a whole new scripting context. I can override all the String and Array methods, DOM prototype methods, document.createElement, document.implementation methods, MutationObserver etc. or even the ShadowRoot constructor with the current API and still likely capture the inside of your component. This is JavaScript after all. :) You're much better off using a public shadow and then putting your whole widget in a cross domain iframe to get a new scripting context instead of depending on the false security of a private shadow. > > I'd also hate to prevent future innovation like Google Feedback which >> has turned out to be a critical component for Google product success. >> > > I would like to understand more here. How does preventing touching the > shadow tree by default prevent something like Google Feedback? Google Feedback is an HTML rendering engine written in JS. To render the document you need access to every DOM node so you can draw it to a canvas. In the world of web components much, or often all, of your web application ends up inside of a component. We can imagine Gmail is something like: <x-toolbar></x-toolbar> <x-panel> <x-label-sidebar></x-label-sidebar> <x-conversation></x-conversation> </x-panel> Google Feedback would be unnable to access the private shadow tree where the actual content of the page is so your screenshot would be blank. Today Google Feedback "just works" on most pages on the web and can be activated through a bookmarklet on any website, even ones that Google does not control. In the future this wouldn't be possible if shadows were private by default and authors didn't consider all future library and widget integrations. For more information about Google Feedback see my recent architecture presentation: http://elliottsprehn.com/preso/fluentconf/ Another example is Readability: http://www.readability.com/bookmarklets Once the articles on news websites are actually just <x-news-article articleId="{bindingForArticleId}"></x-news-article> and load from the model into their shadow they become hidden from bookmarklets that wish to traverse down into them making future innovations like Readbility difficult without super hacks. - E
Received on Thursday, 8 November 2012 17:29:33 UTC