Security scopes

[sashafirsov]

Some DCE would act as "mediator" and pipe the content transparently with a little adjustment of content. Whether it is an UX activities analytics, localization, or accessibility decorator application author needs a level of control what particular DCE instance/html include/html module has access to and able to change. The reasons would vary. From security( why accessibility layer should track user activities?) to insulation of apps from different domains( why give app keys access to foreign domain).

What would scope control?

• own baseURI to resolve references to dependent resources *own importmaps to resolve non-relative and non-absolute URIs
• own permitted domains to work against
• request mapping and transformation pipeline
• DOM/CSS insulation level. From none to full which matches no insulation as in usual STYLE tag to shadowDOM.
• Scope variables, a substitution to globals.

scope presets

In addition to none and anonymous the scopes can be defined and named by context owner.

Using the scope of same name defines the concept of library - a related set of components which share same configuration and insulation layers.

scope inheritance

Since scopes are working within context, it's hierarchy is applied for scopes. But on the outer(owner) level the inner scopes can be redefined and passed through. For example, Bootstrap CSS library can be named on page level as bootstrap-css and components which use or override its rules would have scope="bootstrap-css".

[sashafirsov]

Is there a need for explicit scopes mix? scope="a,b"?

[sashafirsov]

scope definition

Is a subset of DWA descriptor. Perhaps is identical?

[sashafirsov]

The scope is a candidate for [Proposal] context and scope in DCE, HTML module, DWA, HTML include, template in https://discourse.wicg.io/

[sashafirsov]

History

Since very beginning of HTML the scopes been extensively used

Glossary

• DCE - declarative Custom Element
• HTML include
• DWA - Declarative Web Application (link TBD)
• Template - proposal is pending, discussion on templates in html include thread

[sashafirsov]

domain and subdomain scope

in similar fashion as cookies. If Domain is specified, then subdomains are always included.

[sashafirsov]

the scope in DCE POC is limited to DCE root as associated data slice set. Other scopes or page level interaction is not exposed, hence no need for scope limitations.