Re: The <iframe> element and sandboxing ideas

On Sat, 24 May 2008, Bill Lipa wrote:
> >
> > I've added a seamless="" boolean attribute to <iframe>, which, if the 
> > content's active document's URI has the same origin as the container, 
> > causes the iframe to size vertically to the bounding box of the 
> > contents...
>
> Seamless iframes sound quite excellent.  If the containing document 
> trusts the target iframe, could it opt out of the same origin check?  
> That would allow, for example, web services to provide better integrated 
> widgets.

With the postMessage() API, this is mostly unnecessary at this point. I 
think allowing that is better than having sites have to trust each other 
(it would be very easy if two sites trusted each other like that to spoof 
the DNS of just one on a local network and thus gain access to the data 
on the other).

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Saturday, 14 February 2009 23:41:10 UTC