Re: Allow auto-resize on iframe

On Thu, 28 Jan 2016 12:57:09 +0100, Craig Francis  
<craig.francis@gmail.com> wrote:

> On 27 Jan 2016, at 13:02, Simon Pieters <simonp@opera.com> wrote:
>
>> CORS doesn't require an extra request for normal GETs. But I think we  
>> should investigate the use cases for cross-origin autoresize more  
>> first; maybe using CORS is not suitable because it would expose "too  
>> much", and autoresize was the only thing people wanted to enable?
>
>
>
> Good point, has been a while since I last did any CORS work.
>
> When you say it will expose "too much", what do you mean by this?

For instance, adding CORS means that the content is also readable with XHR.

> I'm just thinking of the height of the iframed page allowing a malicious  
> website (the one that created the iframe) to infer something about the  
> victim website within the iframe (e.g. is this user logged in).

Yep. Though this is typically possible through other means already, e.g.  
trying to load some resource and see if you get a 'load' or 'error' event.


> I think in most cases iframes work exceptionally well at allowing you to  
> include content from elsewhere.
>
> This is often because another website is providing the content, or  
> because you have some content that you want to sandbox (because it's  
> potentially untrusted).
>
> But the problem I often face is getting the iframe to have the right  
> height (just so it does not create scroll bars):
>
> http://stackoverflow.com/search?q=resize+iframe
>
> The dumb approach is to set its height to something ridiculously tall.
>
> Or the more complicated one involves JavaScript + postMessage(), and  
> this is always implemented slightly differently between websites.
>
>
>
> And you won't hear any complaints from me about it being done via  
> "height: max-content" :-)
>
> Craig
>
>


-- 
Simon Pieters
Opera Software

Received on Thursday, 28 January 2016 12:24:14 UTC