`body /deep/ span` reveals cleartext

[timoxley]

The /deep/ combinator can cross the shadow boundary, allowing a host script read/write access the same cleartext DOM presented to the user.

A parent application can easily get all ShadowCrypt cleartext on a page:

[].slice.call(document.querySelectorAll('body /deep/ span'))
.map(function(el) {
  return el.innerText
}).join('\n')

Not sure there's a way around it at this point.

[wh0]

confirmed. thanks for reporting.

[wh0]

http://dev.w3.org/csswg/css-scoping/ for my own reference

[koto]

Any update on this? With the cleartext availability your extension offers nothing more than a snakeoil.

[wh0]

df741a0

[dzfranklin]

/deep/ was only supported in Chrome and has been deprecated.
https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/68qSZM5QMRQ/pT2YCqZSomAJ
https://www.chromestatus.com/features/6750456638341120