W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2013

Re: [whatwg] links within an iframe cannot replace the parent document?

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 30 Aug 2013 23:14:34 +0000 (UTC)
To: "Constantine A. Murenin" <mureninc@gmail.com>, Nils Dagsson Moskopp <nils@dieweltistgarnichtso.net>
Message-ID: <alpine.DEB.2.00.1308302236060.28675@ps20323.dreamhostps.com>
Cc: whatwg@whatwg.org

On Wed, 29 May 2013, Constantine A. Murenin wrote:
> 
> [Use case:] an ISBN resolver, where multiple independent providers (e.g. 
> shops) could serve the request.

Why would shops be ok with having additional material around their page? 
That seems like a supremely bad idea from a security perspective.


On Tue, 28 May 2013, Constantine A. Murenin wrote:
>
> For example, right now, when someone requests http://mdoc.su/-/ifconfig, 
> I simply return a 300-Multiple-Choices page, without actually loading 
> any useful and readable content as an appetizer.  What I might want to 
> do instead is load one of the URLs in a full-screen iframe (already 
> possible through CSS, not possible with HTML5 alone, since iframe's 
> width/height must only contain pixel-based values), and overlay my 
> navigation that provides links to other content providers with `z-index` 
> (already possible through CSS), but not squat on the Location bar 
> (currently impossible not to squat on the location bar).

There's no way we can get to the point where you're overlaying content on 
other sites with their URL appearing in the URL bar. That would let people 
do things like overlay their UI on top of Amazon's shopping cart UI and 
get people to give them their credit card details.


> say, when I enter http://dx.doi.org/10.1109/ITCC.2005.129, it'd be 
> useful if the URL stays in the location bar, until I navigate away from 
> the page that is ultimately loaded.

Would your UI disappear at this time too?

The pages can do this today by just having <base target="_top"> in their 
markup. Is that insufficient?


> Or, with a higher z-index, there might also be other navigation, e.g. a 
> link to http://doi.ieeecomputersociety.org/10.1109/ITCC.2005.129, which 
> is a separate resource from the main IEEE Xplore that gets linked from 
> dx.doi.org, without such alternative ieeecomputersociety link being in 
> IEEE Xplore itself.

I don't follow.


On Wed, 29 May 2013, Constantine A. Murenin wrote:
> 
> Why would anyone non-malicious and usability-friendly would need 
> non-same-origin documents within a full-screen iframe open-up within the 
> said full-screen iframe ("_self"), and not at the top of the frame 
> ("_top")?  In this inquiry, I want them opened up at the top of the 
> frame, replacing my original page with the iframe; do you disagree that 
> such is a reasonable request?

I think this request makes sense. It's just not clear that there's a 
compelling enough use case for it. How common is it for people to want to 
provide sites such as you describe?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 30 August 2013 23:15:34 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:23 UTC