W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: Isolated Web Components for a more secure web

From: Eduardo Robles Elvira <edulix@agoravoting.com>
Date: Tue, 1 Jul 2014 10:22:10 +0200
Message-ID: <CAHwZu3cRNOkgRBZ8FCTpGtXvwUhmdH2eWwn1QNKm+o68CAyL3Q@mail.gmail.com>
To: "Eduardo' Vela" <evn@google.com>
Cc: public-webappsec@w3.org
On Mon, Jun 30, 2014 at 6:00 PM, Eduardo' Vela" <Nava> <evn@google.com> wrote:
> ShadowDOM used to have security properties but they got removed (not sure
> why, but when I took a look it was easy to work around them).
>
> It seems like this proposal is just iframes anyway right? Or how are the
> isolated components different from iframes?

Hello Eduardo:

It's true that this has some resemblance to iframes, in the idea of
having a shadow dom that is not accessible. Other than that, the only
resemblance is the resemblance between iframes and web components. One
could also ask, how are web components different from iframes, in
general?

You don't want to use an iframe instead of a web component. You might
have a web component being used multiple times in a single webpage,
like for showing dates in github. And in that case you wouldn't use an
iframe, would you? The proposal I made includes web component pinning
and interation with the security features of the web browser. The idea
of isolated web components is to be the equivalent of SSL for
end-to-end user security.

If browsers had isolated web-components, Google wouldn't have created
"end-to-end" [1] as a chrome extension - it could have made it
available in Gmail Labs as an isolated web component - that would work
in multiple web browsers and have the same level of security. That's
the real power of web components in isolation - and because such a
thing cannot be currently done, that's why I think we need it.

Regards,
Eduardo
Received on Tuesday, 1 July 2014 08:23:08 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC