On Thu, Feb 13, 2014 at 2:35 AM, Anne van Kesteren <[email protected]> wrote:
> On Thu, Feb 13, 2014 at 12:04 AM, Alex Russell <[email protected]> > wrote: > > Until we can agree on this, Type 2 feels like an attractive nuisance > and, on > > reflection, one that I think we should punt to compilers like caja in the > > interim. If toolkits need it, I'd like to understand those use-cases from > > experience. > > I think Maciej explains fairly well in > http://lists.w3.org/Archives/Public/public-webapps/2011AprJun/1364.html > why it's good to have. Also, Type 2 can be used for built-in elements, > which I thought was one of the things we are trying to solve here. I encourage you to go through the exercise that arv has. What does it mean, in practice, to *really* defend against "deliberate access" (Maciej's Type 2). If you were to try to implement a built-in using what, in your mind, is Type 2, would it work? Would you really be able to hang privileged user access off that implementation? Any time I consider the question, it leads me to want to lock down all routes to access outside some (unspecified, and I fear unspecifiable until we get *much* stronger primitives) relationship between a script execution context and some subset of the DOM. This is painful because DOM makes transport across "worlds" so trivial. Iframes, built-in-controls and caja have all done this, but they do it by going for Type 4. There is no spoon. Type 2 is a mirage.
