On 11/1/12 7:41 AM, Tab Atkins Jr. wrote:
There was no good *reason* to be private by default
Yes, there was. It makes it much simpler to author non-buggy components. Most component authors don't really contemplate how their code will behave if someone violates the invariants they're depending on in their shadow DOMs. We've run into this again and again with XBL.
So pretty much any component that has a shadow DOM people can mess with but doesn't explicitly consider that it can happen is likely to be very broken. Depending on what exactly it does, the brokenness can be more or less benign, ranging from "doesn't render right" to "leaks private user data to the world".
As a general rule, we should favor being public over being private unless there's a good privacy or security reason to be private.
As a general rule we should be making it as easy as possible to write non-buggy code, while still allowing flexibility. In my opinion.
-Boris
