Security scopes

Question

Security scopes

Opened this issue 2 years ago · 6 comments

Some DCE would act as "mediator" and pipe the content transparently with a little adjustment of content. Whether it is an UX activities analytics, localization, or accessibility decorator application author needs a level of control what particular DCE instance/html include/html module has access to and able to change. The reasons would vary. From security( why accessibility layer should track user activities?) to insulation of apps from different domains( why give app keys access to foreign domain).

What would `scope` control?

own baseURI to resolve references to dependent resources
*own importmaps to resolve non-relative and non-absolute URIs
own permitted domains to work against
request mapping and transformation pipeline
DOM/CSS insulation level. From none to full which matches no insulation as in usual STYLE tag to shadowDOM.
Scope variables, a substitution to globals.

scope presets

In addition to none and anonymous the scopes can be defined and named by context owner.

Using the scope of same name defines the concept of library - a related set of components which share same configuration and insulation layers.

scope inheritance

Since scopes are working within context, it's hierarchy is applied for scopes. But on the outer(owner) level the inner scopes can be redefined and passed through.
For example, Bootstrap CSS library can be named on page level as bootstrap-css and components which use or override its rules would have scope="bootstrap-css".

Answer 1 · 2022-12-11T19:17:08.000Z

Is there a need for explicit scopes mix? scope="a,b"?

Answer 2 · 2022-12-11T19:21:34.000Z

scope definition

Is a subset of DWA descriptor. Perhaps is identical?

Answer 3 · 2022-12-12T06:53:57.000Z

The scope is a candidate for [Proposal] context and scope in DCE, HTML module, DWA, HTML include, template
in https://discourse.wicg.io/

Answer 4 · 2022-12-12T06:54:26.000Z

History

Since very beginning of HTML the scopes been extensively used

Glossary

DCE - declarative Custom Element
HTML include
DWA - Declarative Web Application (link TBD)
Template - proposal is pending, discussion on templates in html include thread

Answer 5 · 2022-12-13T05:53:59.000Z

domain and subdomain scope

in similar fashion as cookies. If Domain is specified, then subdomains are always included.

Answer 6 · 2023-04-05T05:13:43.000Z

the scope in DCE POC is limited to DCE root as associated data slice set. Other scopes or page level interaction is not exposed, hence no need for scope limitations.

What would scope control?