W3C home > Mailing lists > Public > public-html@w3.org > February 2009

Re: The <iframe> element and sandboxing ideas

From: Bill Lipa <dojo@masterleep.com>
Date: Sat, 14 Feb 2009 20:58:25 -0800
Message-ID: <80a30c090902142058x59772db6m65a974f6a5185e5e@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: public-html@w3.org
On Sat, Feb 14, 2009 at 3:40 PM, Ian Hickson <ian@hixie.ch> wrote:

> On Sat, 24 May 2008, Bill Lipa wrote:
> > >
> > > I've added a seamless="" boolean attribute to <iframe>, which, if the
> > > content's active document's URI has the same origin as the container,
> > > causes the iframe to size vertically to the bounding box of the
> > > contents...
> >
> > Seamless iframes sound quite excellent.  If the containing document
> > trusts the target iframe, could it opt out of the same origin check?
> > That would allow, for example, web services to provide better integrated
> > widgets.
>
> With the postMessage() API, this is mostly unnecessary at this point. I
> think allowing that is better than having sites have to trust each other
> (it would be very easy if two sites trusted each other like that to spoof
> the DNS of just one on a local network and thus gain access to the data
> on the other).
>


Could you explain how postMessage() allows web services to easily provide
in-page integrated widgets in the way that an opted-in seamless iframe
would?  In particular, I'm interested in providing iframe content that sizes
itself properly within a containing page without unnatural scrollbars or
heavy layers of Javascript.  It's desirable if the iframe can be styled with
the containing page's CSS, but the iframe content does not need script
access to the containing page.
Received on Sunday, 15 February 2009 04:59:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:31 GMT