W3C home > Mailing lists > Public > public-html@w3.org > January 2010

Re: <iframe doc="">

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 18 Jan 2010 16:03:09 -0800
Message-ID: <7789133a1001181603j53e96f7n969ff2e249a5b435@mail.gmail.com>
To: Joe D Williams <joedwil@earthlink.net>
Cc: Henri Sivonen <hsivonen@iki.fi>, public-html@w3.org
On Mon, Jan 18, 2010 at 3:48 PM, Joe D Williams <joedwil@earthlink.net> wrote:
>> I don't understand why you think object/embed provides more security than
>> iframe.  When you load HTML into an object/embed, what you get is exactly
>> the same as an iframe.
>
> Not in detail, I think you will find.
> I meant to say that <iframe> is for html while <object> and <embed> are
> designed for plugins or other 'external' scriptable runtime like flash or
> other live content. If you use <object> or <embed> I think you will find
> events do not work the same as for <iframe>. For example if <iframe> we try
> to limit access so that the 'nested' DOM acts like it is not accessible from
> the host DOM. For <object> and <embed> that is not a simulation. The context
> is actually different and events (should get) passed in an entirely
> different but familiar way.

Really?  Do you have test cases that demonstrate this difference?  In
WebKit, HTMLObjectElement, which represents the <object> element, is a
subclass of HTMLFrameOwnerElement, which represents all the frame-like
elements (e.g., <frame>, <iframe>).  If you put text/html into an
<object> element (which is what we're suggesting with @doc), then it
acts just like a frame.

Adam
Received on Tuesday, 19 January 2010 00:04:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:59 GMT