W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2016

Re: iFrame access

From: Craig Francis <craig.francis@gmail.com>
Date: Tue, 29 Mar 2016 11:04:31 +0100
Cc: WebAppSec WG <public-webappsec@w3.org>
Message-Id: <307D0EDC-DF85-4058-A030-1127DF62BF8E@gmail.com>
To: Chris Palmer <palmer@google.com>
On 28 Mar 2016, at 20:39, Chris Palmer <palmer@google.com> wrote:

> I'd much rather have the embedder explicitly pass the relevant text ... an iframe element attribute.


Actually, this is a good point...

Taylor Hunt suggested something similar on WICG Discourse:

https://discourse.wicg.io/t/feature-request-allow-auto-resize-on-iframe/1405/5 <https://discourse.wicg.io/t/feature-request-allow-auto-resize-on-iframe/1405/5>

They wanted variables to be passed into the iframe (in their case to customise the CSS, maybe the widget could set a theme colour?).

Maybe this is worth considering?

It would be easier than passing everything though the iframe src, e.g.

	<iframe src="/path/to.js" data-colour="#F00"></iframe>

And for the Ad networks:

	<iframe src="https://www.example.com/advert/" data-text-content="" style="width: 500px; height: max-content;"></iframe>

Where those Ad networks could suggest something like the following (for those wanting a quick copy/paste):

	<script>

		if (document.querySelectorAll) {
			document.addEventListener('DOMContentLoaded', function() {

				var iframes = document.querySelectorAll('iframe[data-text-content]'),
					textContent = document.body.innerText;

				for (var k = (iframes.length - 1); k >= 0; k--) {
					iframes[k].setAttribute('data-text-content', textContent);
				}

			});
		}

	</script>

Although, we should use a different attribute name, as data-* attributes already exist :-)

Craig
Received on Tuesday, 29 March 2016 10:04:56 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:18 UTC