W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2012

[whatwg] crossorigin property on iframe

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 12 Apr 2012 12:49:47 -0700
Message-ID: <CAJE5ia8pXt7UR-HjWXA9yHT9jooGeDbWtWLRbxUqBUqY0T8Vxg@mail.gmail.com>
On Thu, Apr 12, 2012 at 12:46 PM, Anne van Kesteren <annevk at opera.com> wrote:
> On Thu, 12 Apr 2012 21:30:00 +0200, Ojan Vafai <ojan at chromium.org> wrote:
>> We should add a crossorigin property on iframe that causes the request to
>> use CORS. If it's an allowed cross-domain request, then the page should
>> have access to the DOM of the frame.
>>
>> Also, seamless should work (assuming the CORS request succeeded of
>> course). One tricky thing here is that seamless needs to stop working if
>> the frame is navigated to a different origin to which it does not have
>> CORS access.
>
> This cannot work. CORS only works for sharing a single resource. If you
> expose a DOM on a different origin that *entire* origin would be exposed,
> which would be way more than CORS allows for. You'll have to use a
> postMessage()-based workaround I'm afraid.

The seamless part might be workable, since that leaks information only
from the document in question.  It's possible that there's a better
mechanism than CORS for a child frame to opt into being seamless with
its parent.

Adam
Received on Thursday, 12 April 2012 12:49:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:07 GMT