- From: Bill Lipa <dojo@masterleep.com>
- Date: Sat, 14 Feb 2009 20:58:25 -0800
- To: Ian Hickson <ian@hixie.ch>
- Cc: public-html@w3.org
- Message-ID: <80a30c090902142058x59772db6m65a974f6a5185e5e@mail.gmail.com>
On Sat, Feb 14, 2009 at 3:40 PM, Ian Hickson <ian@hixie.ch> wrote: > On Sat, 24 May 2008, Bill Lipa wrote: > > > > > > I've added a seamless="" boolean attribute to <iframe>, which, if the > > > content's active document's URI has the same origin as the container, > > > causes the iframe to size vertically to the bounding box of the > > > contents... > > > > Seamless iframes sound quite excellent. If the containing document > > trusts the target iframe, could it opt out of the same origin check? > > That would allow, for example, web services to provide better integrated > > widgets. > > With the postMessage() API, this is mostly unnecessary at this point. I > think allowing that is better than having sites have to trust each other > (it would be very easy if two sites trusted each other like that to spoof > the DNS of just one on a local network and thus gain access to the data > on the other). > Could you explain how postMessage() allows web services to easily provide in-page integrated widgets in the way that an opted-in seamless iframe would? In particular, I'm interested in providing iframe content that sizes itself properly within a containing page without unnatural scrollbars or heavy layers of Javascript. It's desirable if the iframe can be styled with the containing page's CSS, but the iframe content does not need script access to the containing page.
Received on Sunday, 15 February 2009 04:59:02 UTC