Re: Allow auto-resize on iframe from Craig Francis on 2016-01-29 (www-style@w3.org from January 2016)

From: Craig Francis <craig.francis@gmail.com>
Date: Fri, 29 Jan 2016 16:50:06 +0000
To: Simon Pieters <simonp@opera.com>
Cc: "Tab Atkins Jr." <jackalmage@gmail.com>, www-style list <www-style@w3.org>
Message-Id: <0CDA33FC-26FA-4184-BB61-07941342653D@gmail.com>

On 28 Jan 2016, at 12:23, Simon Pieters <simonp@opera.com> wrote:

> For instance, adding CORS means that the content is also readable with XHR.




Good point.

It would be useful for the remote site to see the Origin header, but just simply opening access with "Access-Control-Allow-Origin" isn't a good idea.

It's a shame there isn't a way of saying "Access-Control-Allow-Feature" to go along with Origin/Methods/Headers/Credentials... but I don't think that can be added now, as too many websites and browsers have implemented the current functionality.

Maybe a new header, or maybe CSP, or something else?

Or do we just simply allow the browser to set the height and not worry about it... personally I don't want to allow another vector for information leakage, but you are right, there are other ways of doing this already.

Craig





> On 28 Jan 2016, at 12:23, Simon Pieters <simonp@opera.com> wrote:
> 
> On Thu, 28 Jan 2016 12:57:09 +0100, Craig Francis <craig.francis@gmail.com> wrote:
> 
>> On 27 Jan 2016, at 13:02, Simon Pieters <simonp@opera.com> wrote:
>> 
>>> CORS doesn't require an extra request for normal GETs. But I think we should investigate the use cases for cross-origin autoresize more first; maybe using CORS is not suitable because it would expose "too much", and autoresize was the only thing people wanted to enable?
>> 
>> 
>> 
>> Good point, has been a while since I last did any CORS work.
>> 
>> When you say it will expose "too much", what do you mean by this?
> 
> For instance, adding CORS means that the content is also readable with XHR.
> 
>> I'm just thinking of the height of the iframed page allowing a malicious website (the one that created the iframe) to infer something about the victim website within the iframe (e.g. is this user logged in).
> 
> Yep. Though this is typically possible through other means already, e.g. trying to load some resource and see if you get a 'load' or 'error' event.
> 
> 
>> I think in most cases iframes work exceptionally well at allowing you to include content from elsewhere.
>> 
>> This is often because another website is providing the content, or because you have some content that you want to sandbox (because it's potentially untrusted).
>> 
>> But the problem I often face is getting the iframe to have the right height (just so it does not create scroll bars):
>> 
>> http://stackoverflow.com/search?q=resize+iframe
>> 
>> The dumb approach is to set its height to something ridiculously tall.
>> 
>> Or the more complicated one involves JavaScript + postMessage(), and this is always implemented slightly differently between websites.
>> 
>> 
>> 
>> And you won't hear any complaints from me about it being done via "height: max-content" :-)
>> 
>> Craig
>> 
>> 
> 
> 
> -- 
> Simon Pieters
> Opera Software

Received on Friday, 29 January 2016 16:50:41 UTC