W3C home > Mailing lists > Public > public-html@w3.org > May 2013

Re: make links within an iframe replace the parent document

From: Constantine A. Murenin <mureninc@gmail.com>
Date: Mon, 20 May 2013 15:43:58 -0700
Message-ID: <CAPKkNb68oodB2xqO88NE2w+q+DUNTxO1YvH37uAoDMBH1G2UpA@mail.gmail.com>
To: Silvia Pfeiffer <silviapfeiffer1@gmail.com>
Cc: public-html@w3.org
On 20 May 2013 14:52, Silvia Pfeiffer <silviapfeiffer1@gmail.com> wrote:
> The seamless attribute was indeed created for this use case. It states:
> "...seamless mode ...  will cause links to open in the parent browsing
> context ..."
>
> To avoid XSS issues, same-origin rules apply, so look at the details
> of http://www.w3.org/TR/html5/embedded-content-0.html#attr-iframe-seamless

That makes no sense.  If you already control the content of the iframe
that you're embedding, then there are already other means to make the
links open in the parent browsing context.

What about embedding non-same-origin content?  Why would any
legitimate websites that care about their users would /not/ want to
have the links open in the parent browsing window?

Actually, why is it not even the default:  if the links are clicked on
within an iframe, why do they not replace the parent browsing context
by default?  This would seem like a big fail on part of the
implementation of iframes in modern browsers.

And then instead of getting it right, someone comes up with
X-Frame-Options that effectively kills the iframe for use outside of
the same-origin sites in the first place. :-(  Sigh.

C.
Received on Monday, 20 May 2013 22:44:29 UTC

This archive was generated by hypermail 2.4.0 : Saturday, 9 October 2021 18:46:02 UTC