On 11/8/12 9:28 AM, Elliott Sprehn wrote:
If you're worried about malicious attacks on your widget, shadows being private is not enough. You need a whole new scripting context.
Er... yes, you do. Do widgets not get that? If not, that's pretty broken...
Google Feedback is an HTML rendering engine written in JS. To render the document you need access to every DOM node so you can draw it to a canvas.
I see. It'll still break with things like images and whatnot if you want to extract the data from that canvas (in general, modulo CORS etc), but yes, I can see how not being able to get inside components is a problem.
I wonder whether making access to the insides of components work based on same-origin restrictions + CORS makes sense.
-Boris
