Re: The <iframe> element and sandboxing ideas from Ian Hickson on 2009-04-25 (public-html@w3.org from April 2009)

From: Ian Hickson <ian@hixie.ch>
Date: Sat, 25 Apr 2009 21:44:11 +0000 (UTC)
To: Bill Lipa <dojo@masterleep.com>
Cc: public-html@w3.org
Message-ID: <Pine.LNX.4.62.0904252141220.10370@hixie.dreamhostps.com>

On Sat, 14 Feb 2009, Bill Lipa wrote:
> On Sat, Feb 14, 2009 at 3:40 PM, Ian Hickson <ian@hixie.ch> wrote:
> > On Sat, 24 May 2008, Bill Lipa wrote:
> > > >
> > > > I've added a seamless="" boolean attribute to <iframe>, which, if 
> > > > the content's active document's URI has the same origin as the 
> > > > container, causes the iframe to size vertically to the bounding 
> > > > box of the contents...
> > >
> > > Seamless iframes sound quite excellent.  If the containing document 
> > > trusts the target iframe, could it opt out of the same origin check? 
> > > That would allow, for example, web services to provide better 
> > > integrated widgets.
> >
> > With the postMessage() API, this is mostly unnecessary at this point. 
> > I think allowing that is better than having sites have to trust each 
> > other (it would be very easy if two sites trusted each other like that 
> > to spoof the DNS of just one on a local network and thus gain access 
> > to the data on the other).
> 
> Could you explain how postMessage() allows web services to easily 
> provide in-page integrated widgets in the way that an opted-in seamless 
> iframe would?  In particular, I'm interested in providing iframe content 
> that sizes itself properly within a containing page without unnatural 
> scrollbars or heavy layers of Javascript.  It's desirable if the iframe 
> can be styled with the containing page's CSS, but the iframe content 
> does not need script access to the containing page.

The seamless styling couldn't be done easily, but it could be done (just 
link to the same style sheet, and then have script on the outer side 
waiting for script on the inner side to tell it its dimensions).

I suggest we wait to see what the experience is with seamless="" before 
allowing cross-origin seamless="" support directly.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Saturday, 25 April 2009 21:44:48 UTC