Re: Fallout of non-encapsulated shadow trees

Tab Atkins Jr. wrote:
> On Tue, Jul 1, 2014 at 6:13 PM, Brendan Eich<brendan@secure.meer.net>  wrote:
>> >  Domenic Denicola wrote:
>>> >>
>>> >>  From: Brendan Eich [mailto:brendan@secure.meer.net]
>>>> >>>
>>>>> >>>  >    That is a false idol if it means no intermediate steps that explain
>>>>> >>>  >  some but not all of the platform.
>>> >>
>>> >>
>>> >>  Sure. But I don't think the proposed type 2 encapsulation explains any of
>>> >>  the platform at all.
>> >
>> >
>> >  Are you sure? Because Gecko has used XBL (1) to implement, e.g.,<input
>> >  type=file>, or so my aging memory says. That's "good enough" and it has
>> >  shipped for years, unless I'm mistaken.
>
> XBL is either type 3, or it's type 2 but weak/magical enough that it
> doesn't actually expose anything.

XBL can expose anonymous content via special API:

https://developer.mozilla.org/en-US/docs/XBL/XBL_1.0_Reference/DOM_Interfaces#getAnonymousNodes

https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XUL/Tutorial/XBL_Example
https://developer.mozilla.org/en-US/docs/XBL/XBL_1.0_Reference/Anonymous_Content

I'm rusty on this stuff; bz should correct anything amiss here.

>    Gecko does*not*  today  leak any
> internal details of<input type=file>, in the way that type 2 web
> components would leak; that would be a major security breach.

Right you are -- native anonymous content is special this way. But ES6 
proxies are used (albeit by C++ APIs):

https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Language_bindings/XPConnect/XPConnect_security_membranes

So I question whether membranes *and* structured clones are required. 
SES uses membranes without cloning (wrapping, not cloning). This all 
seems doable in-JS with enough care and testing, including 
capability-leak detection. Proxies are awesome!

object-graphs.png

/be