W3C home > Mailing lists > Public > public-css-archive@w3.org > December 2020

Re: [csswg-drafts] [css-sizing] Auto-resize iframes based on content (#1771)

From: Felix Becker via GitHub <sysbot+gh@w3.org>
Date: Wed, 09 Dec 2020 11:20:53 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-741708360-1607512851-sysbot+gh@w3.org>
I am a bit confused why the security concern is a blocker for `<iframe>`, when `<object>` already does this (at least when embedding an SVG, even cross-origin). `<iframe>`s are a lot more secure because they have attributes like `sandbox` and `csp`, which `<object>` does not. So currently we are forced to use `<object>` to embed SVGs in a responsive, accessible, interactive way (`<img>` doesn't expose contents to screen readers, make links clickable or text selectable) with no way to disallow scripts in SVG to run. Having iframe resizing would therefor be an _improvement_ to security in my eyes because it stops forcing us to use less secure alternatives.

-- 
GitHub Notification of comment by felixfbecker
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/1771#issuecomment-741708360 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 9 December 2020 11:20:56 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 19 October 2021 01:31:37 UTC