Bot Arena
Selector resistance · Level 3 View on report ↗

Closed Shadow DOM

Real form inside a sealed web component. Selectors cannot reach it.

What's measured on this page
- The login form is rendered inside a closed shadow root on a custom element called <sealed-login>. - A closed shadow root is an explicit DOM-level privacy boundary. Nothing outside the component can read or write its internals — not document.querySelector, not the accessibility tree, not Playwright's locators, not even the shadow-piercing combinator >>> (which works only on open shadow roots). - Inside the shadow root, a fully working form behaves like any other: focusable inputs, real submit, real success message — all inaccessible from outside. - A vision-based automation tool reads the visible labels and inputs off the rendered page. The DOM privacy boundary is irrelevant — the rendered pixels are public.

The form lives inside a <sealed-login> custom element with attachShadow({ mode: 'closed' }). Open DevTools and try document.querySelector('sealed-login input') — it returns null.

Production apps using this technique

  • Salesforce Lightning (LWC) Lightning Web Components default to a Salesforce-managed shadow root. The entire CRM UI is built from sealed components — selectors get nowhere without Salesforce-specific tooling.
    Market ~20% of global CRM (largest vendor) Users 150K+ customer orgs; ~300M end users
  • ServiceNow Workspace and Now UI components ServiceNow's newer interfaces use Web Components with closed shadow roots. Test frameworks that ship with the platform are the only supported automation path.
    Market ~45% of ITSM (largest in category) Users 8K+ enterprise customers; ~85% of Fortune 500
  • SAP UI5 and Fiori Major enterprise resource planning surfaces shipped by SAP encapsulate every widget. Standard selectors fail; SAP provides its own component-aware automation API.
    Market ~24% of ERP market (largest vendor) Users 440K+ customers; 92% of Forbes Global 2000
  • Polymer-based legacy apps (YouTube Studio, parts of Workspace) Older Google apps use Polymer, which can configure shadow roots as closed. External automation has been a known pain point for years.
    Market YouTube ~80% of online video Users YouTube: 2.5B+ monthly users; YouTube Studio: ~50M+ creators
  • Stencil-generated component libraries (Ionic, several SaaS UIs) Stencil compiles to native Web Components and components can opt into closed shadows for tighter encapsulation. The pattern is widespread in enterprise design systems.
    Market Ionic ~15% of hybrid-mobile framework market Users Ionic: 5M+ developers, 1M+ apps shipped; Stencil ~100K+ devs
  • Banking UI kits and PCI-scoped widgets Some banks ship login keypads and card-entry widgets as sealed Web Components, deliberately to prevent third-party scripts (and incidentally any automation) from reading inside.
    Market Pattern adopted across Tier-1 retail-banking platforms (FIS, Temenos, etc.) Users Hundreds of millions of online banking customers worldwide

Figures are approximate / company-disclosed (~2024–2025). Sources: company filings, industry reports (Gartner, IDC, BuiltWith, npm stats), and public DAU disclosures.