Allowing javascript on the parent?

[bluepnume]

The way I've been designing this so far is to prevent any custom javascript from running on the parent site.

This makes it safer for component users, because they can see that the only code they're running is:

1. xcomponent, which is open source and unlikely to contain vulnerabilities
2. A small custom component definition which (as of now) contains no logic or runnable code, and could even just be serialized json.

But allowing parent-side logic is becoming more and more necessary, for features like:

• Way to specify different urls based on the device type #10
• Way to determine the render context on the fly #12

And probably other future features.

Is there a way to mitigate this? I'd love to keep some of this executable logic in the child window, but the issues above are both things we need to know before we can even begin to render.

Also we're limited to having to do a lot synchronously, since if the component author wants to render a popup, we have to do everything in the same frame as the button click.

Thoughts?

[bluepnume]

Leaning in the direction of a 'yes' on this. Reasons:

1. We're already allowing functions for prop defaults
2. At least the component definition should always be pretty lightweight, meaning whoever is pulling it in should be able to easily scan it for vulnerabilities
3. It's still possible to write 'javascript free' component definitions if you want to, as a subset of possible definitions