W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2012

Re: [whatwg] AllowSeamless

From: Maciej Stachowiak <mjs@apple.com>
Date: Sat, 26 May 2012 22:13:25 -0700
Message-id: <F551084E-4108-483E-A8AE-6B0D7DBFC041@apple.com>
To: Adam Barth <w3c@adambarth.com>
Cc: whatwg <whatwg@lists.whatwg.org>, Eric Seidel <eric@webkit.org>, Ojan Vafai <ojan@chromium.org>

On May 26, 2012, at 5:16 PM, Adam Barth <w3c@adambarth.com> wrote:

> Hi whatwg,
> 
> I've added a proposal to the wiki
> <http://wiki.whatwg.org/wiki/AllowSeamless> about letting a document
> indicate that it is willing to be displayed seamlessly with a
> cross-origin parent.  This proposal is a refinement of the approach
> previously discussed in this thread:
> <http://old.nabble.com/crossorigin-property-on-iframe-td33677754.html>.
> 
> Let me know if you have any feedback.

Hi Adam,

Seems like your use case is well motivated. Two points of feedback:

1) In the Alternatives section, you didn't talk about the alternative of a newly created HTTP header, or else extending one of the headers already affecting embedding security, or in general the tradeoffs of header vs. signifier inside the HTML document to be embedded. I don't have a particular pre-existing opinion on this, but it seems like at least some of the precedent in this case is based on HTTP headers, and it would be good to understand the tradeoffs.

2) It seems like, even if it might not be appropriate to require CORS for this use case, it seems like allowing CORS access should at least be sufficient even if not necessary. In other words, if you are prepared to use CORS anyway for other reasons, then it seems like that should also allow seamless embedding. But perhaps this makes the model too complicated.
Received on Sunday, 27 May 2012 05:14:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:08 GMT