Re: Allow auto-resize on iframe

On Wed, 27 Jan 2016 12:56:55 +0100, Craig Francis  
<craig.francis@gmail.com> wrote:

> On 26 Jan 2016, at 19:23, Tab Atkins Jr. <jackalmage@gmail.com> wrote:
>
>> Some quick conversation with fantasai suggests a few routes that we  
>> could take that would avoid a new property:
>
>
>
>
> Thanks TJ,
>
> Personally I like the idea of "height: auto" on an iframe, where the UA  
> stylesheet sets it to 150px, but completely understand that  
> compatibility might be an issue there (even if developers are doing this  
> just to get this specific behaviour).

I suspect height:auto won't be Web compatible. For one thing, I believe it  
would change the heights of iframes for pages that do

     * { box-sizing: border-box; }


> Having said that, as the child document will need to opt-in to this,  
> then maybe this won't be a problem?
>
> From my understanding, the opt-in is required as someone malicious could  
> iframe another website where the user might be logged in, and depending  
> on if they are logged in or not, the height of the document might be  
> different.
>
> CORS might work, and uses existing technology, but this does require an  
> additional HTTP request (not so good for performance)... so maybe there  
> as other options? I was thinking of the X-Frame-Options header, but this  
> seems to be moving to CSP2 frame-ancestors[1]

CORS doesn't require an extra request for normal GETs. But I think we  
should investigate the use cases for cross-origin autoresize more first;  
maybe using CORS is not suitable because it would expose "too much", and  
autoresize was the only thing people wanted to enable?


> But if this doesn't work, then "height: max-content" would also be  
> perfectly fine for me (I just don't want to continue setting up more  
> iframes, with 2 JavaScript files, just to avoid a scroll bar).

height:max-content WFM.

-- 
Simon Pieters
Opera Software

Received on Wednesday, 27 January 2016 13:04:05 UTC