W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: Isolated Web Components for a more secure web

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 1 Jul 2014 10:41:10 +0200
Message-ID: <CADnb78hd8rU8aVMj8Aa4uysFf=nFSiusRu3hgkcp33VYGvio-w@mail.gmail.com>
To: Eduardo Robles Elvira <edulix@agoravoting.com>
Cc: "Eduardo' Vela" <evn@google.com>, WebAppSec WG <public-webappsec@w3.org>
On Tue, Jul 1, 2014 at 10:22 AM, Eduardo Robles Elvira
<edulix@agoravoting.com> wrote:
> You don't want to use an iframe instead of a web component. You might
> have a web component being used multiple times in a single webpage,
> like for showing dates in github. And in that case you wouldn't use an
> iframe, would you? The proposal I made includes web component pinning
> and interation with the security features of the web browser. The idea
> of isolated web components is to be the equivalent of SSL for
> end-to-end user security.

You can't have isolation without having an isolated global object.
<iframe> is pretty much that (except the global is not always
isolated, but the important point is that it can be). If you would
just use one instance of an isolated component on a page, I don't
think we could make the cost much lower than an <iframe>. For /n/
instances of the same component the cost could probably be lower than
/n/ <iframe>s. If components lived in a package together and you just
isolated against the package, you could probably reduce the cost even
more (and I suspect this is what a browser would want to implement all
the form elements, otherwise it would get very expensive, so maybe we
need to explore this direction).

Received on Tuesday, 1 July 2014 08:41:37 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:39 UTC