- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Thu, 08 Nov 2012 21:26:53 -0800
- To: Elliott Sprehn <esprehn@gmail.com>
- CC: Dimitri Glazkov <dglazkov@chromium.org>, Dominic Cooney <dominicc@chromium.org>, public-webapps <public-webapps@w3.org>
On 11/8/12 9:28 AM, Elliott Sprehn wrote: > If you're worried about malicious attacks on your widget, shadows being > private is not enough. You need a whole new scripting context. Er... yes, you do. Do widgets not get that? If not, that's pretty broken... > Google Feedback is an HTML rendering engine written in JS. To render the > document you need access to every DOM node so you can draw it to a > canvas. I see. It'll still break with things like images and whatnot if you want to extract the data from that canvas (in general, modulo CORS etc), but yes, I can see how not being able to get inside components is a problem. I wonder whether making access to the insides of components work based on same-origin restrictions + CORS makes sense. -Boris
Received on Friday, 9 November 2012 05:27:22 UTC