On 21 January 2011 09:35, Michal Zalewski <lcamtuf@coredump.cx> wrote: > What if there are several overlapping frames that meet this criteria > all at the same time? There is only one "top" :-) > Overlapping iframes should both be disabled and removed from view. > Also, what if a frame is moved underneath the cursor just milliseconds > before the user clicks something - in which case, the tooltip appears > too late to allow for any meaningful reaction? > JavaScript should not be able to control of iframes that have been allowed with x-frame-options. We created a monster with iframes, it should be locked down. Maybe some JS should be allowed but events and dynamic styles should be prevented. > What if the document is larger than window size? Can the frame be > rendered partly off-screen, so that only several pixes are still left > on the screen? > The iframe shouldn't be rendered in any way off screen, it should either be centered or removed from display. If the window height or width is below a certain value then the iframe should be removed from display. > I can also imagine this colliding in nasty ways with things such as > drop-down lists or menus - you don't want "like" buttons to be drawn > on top of them :-( > It's up to the dev to place the iframe in a place were it doesn't overlap, the iframe should always be higher than any other element IMO.
Received on Friday, 21 January 2011 10:16:16 UTC