[Bug 13348] New: I was wondering if it would be possible to extend the iframe sandbox attribute to provide additional functionality. We've been developing a HTML5 digital signage solution where the playback application is a HTML5 web page. When the solution is displaying from bugzilla@jessica.w3.org on 2011-07-25 (public-html@w3.org from July 2011)

From: <bugzilla@jessica.w3.org>
Date: Mon, 25 Jul 2011 05:10:11 +0000
To: public-html@w3.org
Message-ID: <bug-13348-2495@http.www.w3.org/Bugs/Public/>

http://www.w3.org/Bugs/Public/show_bug.cgi?id=13348

           Summary: I was wondering if it would be possible to extend the
                    iframe sandbox attribute to provide additional
                    functionality. We've been developing a HTML5 digital
                    signage solution where the playback application is a
                    HTML5 web page. When the solution is displaying
           Product: HTML WG
           Version: unspecified
          Platform: Other
               URL: http://www.whatwg.org/specs/web-apps/current-work/#top
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P3
         Component: HTML5 spec (editor: Ian Hickson)
        AssignedTo: ian@hixie.ch
        ReportedBy: contributor@whatwg.org
         QAContact: public-html-bugzilla@w3.org
                CC: mike@w3.org, public-html-wg-issue-tracking@w3.org,
                    public-html@w3.org


Specification: http://www.w3.org/TR/html5/
Multipage: http://www.whatwg.org/C#top
Complete: http://www.whatwg.org/c#top

Comment:
I was wondering if it would be possible to extend the iframe sandbox attribute
to provide additional functionality.
We've been developing a HTML5 digital signage solution where the playback
application is a HTML5 web page.

When the solution is displaying web pages we use a sandboxed iframe however it
doesn’t quite meet our needs.

The problem is that many pages have click-jacking prevention where they use
javascript to ensure the page is not in an iframe and the HTTP X-Frame-Options
header to prevent the display of the page in the latest browsers.

So whilst we believe our approach to digital signage is by far the most
ubiquitous in terms of platform support, we have the lowest support for
displaying web pages.
What we are thinking is that it would be good to have an ‘isolated’ flag
on the iframe sandbox attribute that allows:
1.    the inline frame to act like a pop-up window
2.    limited JS interaction. Access to height, width, src properties for
example (like a pop-up window)
3.    top == self in JS and browsers ignore the X-Frame-Options
4.    Prevents click jacking as the page is truly sandboxed like a pop-up
window

This would allow us to display pages like facebook in our HTML5 solution in
the same way our desktop software based competitors can.

I believe this addition would greatly benefit the HTML5 standard as a platform
and other legitimate uses could be:
•    HTML5 based web desktops such as http://eyeos.org/
•    HTML5 web browsers (Chrome OS where the browser chrome is a browser.
Tabs and all are HTML)
•    Tutorial sites with instructions around the live frame


Posted from: 129.78.32.22
User agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like
Gecko) Chrome/14.0.825.0 Safari/535.1

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

Received on Monday, 25 July 2011 05:10:16 UTC