- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 18 Jan 2010 16:03:09 -0800
- To: Joe D Williams <joedwil@earthlink.net>
- Cc: Henri Sivonen <hsivonen@iki.fi>, public-html@w3.org
On Mon, Jan 18, 2010 at 3:48 PM, Joe D Williams <joedwil@earthlink.net> wrote: >> I don't understand why you think object/embed provides more security than >> iframe. When you load HTML into an object/embed, what you get is exactly >> the same as an iframe. > > Not in detail, I think you will find. > I meant to say that <iframe> is for html while <object> and <embed> are > designed for plugins or other 'external' scriptable runtime like flash or > other live content. If you use <object> or <embed> I think you will find > events do not work the same as for <iframe>. For example if <iframe> we try > to limit access so that the 'nested' DOM acts like it is not accessible from > the host DOM. For <object> and <embed> that is not a simulation. The context > is actually different and events (should get) passed in an entirely > different but familiar way. Really? Do you have test cases that demonstrate this difference? In WebKit, HTMLObjectElement, which represents the <object> element, is a subclass of HTMLFrameOwnerElement, which represents all the frame-like elements (e.g., <frame>, <iframe>). If you put text/html into an <object> element (which is what we're suggesting with @doc), then it acts just like a frame. Adam
Received on Tuesday, 19 January 2010 00:04:16 UTC