Re: Encapsulation and defaulting to open vs closed (was Re: Shadow DOM Encapsulation)

On Feb 7, 2014, at 1:09 PM, Boris Zbarsky <bzbarsky@MIT.EDU> wrote:

> On 2/6/14 8:44 PM, Boris Zbarsky wrote:
>> It's been clear.  I just thought, and still think, that given our past
>> experience with XBL it's a mistake to scope the problem as you have.
> I should clarify.  That's my personal viewpoint, not necessarily Mozilla's position.
> I also think that rescoping the problem to the one I'm particularly interested in, which would be type 4 in Maciej's typology, means not getting anything for a while, because the primitives involved (multiple globals, cross-global security membranes or separate worlds or something else along those lines) are simply not there right now in the platform.  Several browsers have some versions of it, but even those  disagree wildly on how that sort of thing should work.  And I mean the security engineers involved, not just the implementations.
> So while it would be nice if we all had focused on type 4 encapsulation a few years ago and actually driven through the bits needed for it, I don't think we should be holding up web components for it at this point.  Especially because I'm not sure how much others care about type 4 (e.g. Maciej is not very interested in it).

I am interested in it (or really the combination of 4+5). I just think Type 2 is independently valuable as well, and much less complex.

I believe a strong security boundary is the right way to do cross-domain hosting, such as social network like buttons, third-party comment systems, hosted video or ads. I also do not speak for Apple but I believe many at Apple agree with me that this would be valuable.

I think Type 2 level protection is sufficient for the non-cross-domain case, and in my opinion better than Type 1 for at least some kinds of projects. It's true that the JS frameworks of today allow lots of cool stuff to be built with even less protection, not even Type 1. But part of the goal for Web Components is to provide stronger encapsulation to make components defined by libraries more robust and reusable.

In addition to favoring Type 2 encapsulation, I am also concerned that shadow DOM doesn't seem to be providing the right building blocks to create a system with Type 4/5 encapsulation, even in combination with as-yet-undefined additional security features. I am skeptical that security isolation can be bolted on to a system that is designed to be completely open.


Received on Friday, 7 February 2014 21:58:45 UTC