- From: Silvia Pfeiffer <silviapfeiffer1@gmail.com>
- Date: Tue, 21 May 2013 09:20:48 +1000
- To: "Constantine A. Murenin" <mureninc@gmail.com>
- Cc: public-html@w3.org
On Tue, May 21, 2013 at 8:43 AM, Constantine A. Murenin <mureninc@gmail.com> wrote: > On 20 May 2013 14:52, Silvia Pfeiffer <silviapfeiffer1@gmail.com> wrote: >> The seamless attribute was indeed created for this use case. It states: >> "...seamless mode ... will cause links to open in the parent browsing >> context ..." >> >> To avoid XSS issues, same-origin rules apply, so look at the details >> of http://www.w3.org/TR/html5/embedded-content-0.html#attr-iframe-seamless > > That makes no sense. If you already control the content of the iframe > that you're embedding, then there are already other means to make the > links open in the parent browsing context. > > What about embedding non-same-origin content? Why would any > legitimate websites that care about their users would /not/ want to > have the links open in the parent browsing window? > > Actually, why is it not even the default: if the links are clicked on > within an iframe, why do they not replace the parent browsing context > by default? This would seem like a big fail on part of the > implementation of iframes in modern browsers. > > And then instead of getting it right, someone comes up with > X-Frame-Options that effectively kills the iframe for use outside of > the same-origin sites in the first place. :-( Sigh. Have you tried some of the suggestions on http://stackoverflow.com/questions/4804604/html5-iframe-seamless-attribute ? Silvia.
Received on Monday, 20 May 2013 23:21:35 UTC