- From: CSS Meeting Bot via GitHub <sysbot+gh@w3.org>
- Date: Wed, 20 Apr 2022 16:30:50 +0000
- To: public-css-archive@w3.org
The CSS Working Group just discussed `[css-images-4] object-* properties and the iframe element`, and agreed to the following: * `RESOLVED: Force iframe/object/embed/any other scriptable document-embedding element to object-overflow: clip !important; via UA rule` <details><summary>The full IRC log of that discussion</summary> <fantasai> topic: [css-images-4] object-* properties and the iframe element<br> <fantasai> github: https://github.com/w3c/csswg-drafts/issues/7143<br> <fantasai> TabAtkins: When I was discussing the object-overflow property internally, it was brought up in security review that allowing iframes escape the bounds, even if embedding page opts into it, because they can change content arbitrarily via script<br> <fantasai> TabAtkins: use cases for this seem fairly minimal<br> <fantasai> TabAtkins: main use case for this property was to allow images to be larger than their content bounds<br> <fantasai> TabAtkins: iframes don't make as much sense<br> <fantasai> TabAtkins: so go ahead and enforce that iframes always stay clipped, with UA !important rule<br> <fantasai> TabAtkins: Other HTML elements were also brought up, e.g. embed, object, ??, and I'm not sure about SVG foreignObject<br> <chris> foreignObject is basically an iframe<br> <Rossen_> q?<br> <fantasai> TabAtkins: Proposal is to force iframe object embed and any other HTML or SVG elements that can be scriptable to clip via UA !important rule<br> <emilio> ack emilio<br> <fantasai> smfr: Can authors override UA !important?<br> <fantasai> TabAtkins: no<br> <chrishtr> proposed resolution sgtm<br> <fantasai> RESOLVED: Force iframe/object/embed/any other scriptable document-embedding element to object-overflow: clip !important; via UA rule<br> </details> -- GitHub Notification of comment by css-meeting-bot Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/7143#issuecomment-1104143059 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 20 April 2022 16:30:51 UTC