W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2012

[whatwg] crossorigin property on iframe

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 12 Apr 2012 22:35:38 +0200
Message-ID: <op.wcn55oxe64w2qv@annevk-macbookpro.local>
On Thu, 12 Apr 2012 22:17:50 +0200, Ojan Vafai <ojan at chromium.org> wrote:
> OK, I'm convinced that direct DOM access is a bad idea. seamless was the
> use-case I most cared about anyways. In theory, if we use seamless + CORS
> for the @src load and any navigations of the frame (including via
> Location), then this should be feasible, yes?
>
> Alternately, we could add a special http header and/or meta tag for this,
> like x-frame-options, but for the child frame to define it's relationship
> to the parent frame.

The problem with CORS might be that if you want to expose content for  
embedding with seamless that depends on credentials, XMLHttpRequest can  
request that information then too. As a developer trying to make seamless  
work cross-origin you might not anticipate that.

On the other hand, the enormous growing number of one-off flags developers  
can attach to resources for various features is starting to get worrisome.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Thursday, 12 April 2012 13:35:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:07 GMT