- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Fri, 21 Jan 2011 13:05:30 -0800
- To: gaz Heyes <gazheyes@gmail.com>
- Cc: Giorgio Maone <g.maone@informaction.com>, Daniel Veditz <dveditz@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org, Lucas Adamski <ladamski@mozilla.com>
> Yeah that's the problem as it stands today but I'm proposing a different > behaviour for iframes in general when the x-frames-option header is applied > to allow framing. Moving a parent div would count as dynamic styling of the > iframe. The iframe could there stay where it is or be removed from display. Even if you bake the frame into the rendered document, the window can be scrolled up or down (window.scrollTo) to take it off screen or bring it back. Making "like" buttons stay in place as the user legitimately scrolls a page of Youtube comments is probably a no go ;-) Plus, even if you solve this, it gets even more complicated if you have a non-XFO frame that has a "restricted" XFO frame inside - and when that non-XFO frame is resized; or if the browser window itself is resized, which is permitted by default in some U-As. Cheers, /mz
Received on Friday, 21 January 2011 21:06:24 UTC