- From: Alex Russell <notifications@github.com>
- Date: Wed, 30 Mar 2016 02:55:36 -0700
- To: w3ctag/spec-reviews <spec-reviews@noreply.github.com>
Received on Wednesday, 30 March 2016 09:56:12 UTC
I'd like to dig into the `<iframe>` perf and security concerns. `X-Frame-Options` allows e.g. the Security page to Accounts page to decide what parent origins to allow embedding from. The `postMessage` dance does suck, but in terms of performance, a Service Worker should allow the Security page to appear near-instantly in every case. Is the complexity concern that allowing iframing at all is opening pandora's box? Also, doesn't the eTLD+1 reliance on the public suffix list open this feature up to potential subversion? Obviously everything else would suffer from a suffix list hack, but perhaps not to the same extent? --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/spec-reviews/issues/97#issuecomment-203355418
Received on Wednesday, 30 March 2016 09:56:12 UTC