[whatwg] Iframe dimensions from Markus Ernst on 2010-07-05 (public-whatwg-archive@w3.org from July 2010)

From: Markus Ernst <derernst@gmx.ch>
Date: Mon, 05 Jul 2010 21:37:15 +0200
Message-ID: <4C32346B.3090707@gmx.ch>

Am 05.07.2010 19:24 schrieb Adam Barth:
> On Mon, Jul 5, 2010 at 10:13 AM, Markus Ernst <derernst at gmx.ch> wrote:
>> First, this sounds somehow complicated to me, and second, I don't understand
>> why the dimensions of non-seamless iframes should not get the  benefits of
>> author-friendly (and user-friendly) dimension handling.
> 
> One of the reasons is security: if we automatically sized iframes, an
> attacker could learn things about documents in other origins.  

I can't imagine how the information about the computed width and height 
can be abused - would you mind giving an example?

A possible workaround to security issues could be an element to be set 
in the included document, such as a meta tag that contains a comma 
separated list of domains that are allowed to include the document, and 
also get informations about dimensions and such. Some kind of:
<meta name="allow-embedding" content="whatwg.org, mozilla.com">

Also, if this is a potential danger, should the 2 list paragraphs about 
width and height in the part on @seamless be removed at all? As far as I 
understand, the effects of @seamless require the iframe source to be 
from the same origin as the parent document, thus I think that width and 
height of an iframe should be computed independent from @seamless. Else, 
the whole page layout is likely to change if the iframe source is 
navigated from a same-origin document to one from another origin.

> Another reason is compatibility: changing how frames layout would likely 
> break the layout of a large number of web sites.

I don't think the 2 solutions I proposed would do any BC harm:
- Inventing a new attribute does not affect legacy browsers (as they 
will ignore it), nor legacy pages (as they don't have it).
- Interpreting the CSS declaration display:block as the author's wish to 
get the iframe rendered like a block element is nothing but consistent. 
There has been no reason for authors to apply this declaration so far, 
but if anyone did, he/she wanted the rendering I suggest. If not (for 
example if the iframe is floating), he/she also applied dimensions, be 
it in the HTML or the CSS code.

Received on Monday, 5 July 2010 12:37:15 UTC