W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Allow auto-resize on iframe

From: Craig Francis <craig.francis@gmail.com>
Date: Sun, 31 Jan 2016 19:01:44 +0000
Message-Id: <ED57A5ED-F640-477F-8BC8-674A75C5D2AE@gmail.com>
To: public-webappsec@w3.org
Hi,

Following the recent removal of `seamless` from the WHATWG:

https://github.com/whatwg/html/issues/331

One of the main features was allowing iframes to inherit the height of the child document.

This is very important to stop scroll bars, and is where I'm suggesting we introduce the ability for iframes to auto-resize (even if it is just the height that can change):

https://github.com/whatwg/html/issues/555

The `www-style` mailing list has suggested just putting this into CSS with a simple rule:

    iframe { height: max-content; }

Which is much better than the many ugly JavaScript solutions currently out there.

But when working cross origin, this causes a bit of a security problem, as the height of the page can leak information about the framed content (e.g. is the user logged in to website X).

I don't believe CSP is a good idea for this, even if it is inheriting the old `X-Frame-Options` into `frame-ancestors`.

And using CORS will give too much power (i.e. the ability for the parent page to inspect the child pages content).

Anne has just proposed a new header, something like "Expose-Height-Cross-Origin: 1".

Do you have any other suggestions or comments?

Craig
Received on Sunday, 31 January 2016 19:02:13 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:17 UTC