- From: Constantine A. Murenin <mureninc@gmail.com>
- Date: Mon, 20 May 2013 15:43:58 -0700
- To: Silvia Pfeiffer <silviapfeiffer1@gmail.com>
- Cc: public-html@w3.org
On 20 May 2013 14:52, Silvia Pfeiffer <silviapfeiffer1@gmail.com> wrote: > The seamless attribute was indeed created for this use case. It states: > "...seamless mode ... will cause links to open in the parent browsing > context ..." > > To avoid XSS issues, same-origin rules apply, so look at the details > of http://www.w3.org/TR/html5/embedded-content-0.html#attr-iframe-seamless That makes no sense. If you already control the content of the iframe that you're embedding, then there are already other means to make the links open in the parent browsing context. What about embedding non-same-origin content? Why would any legitimate websites that care about their users would /not/ want to have the links open in the parent browsing window? Actually, why is it not even the default: if the links are clicked on within an iframe, why do they not replace the parent browsing context by default? This would seem like a big fail on part of the implementation of iframes in modern browsers. And then instead of getting it right, someone comes up with X-Frame-Options that effectively kills the iframe for use outside of the same-origin sites in the first place. :-( Sigh. C.
Received on Monday, 20 May 2013 22:44:29 UTC