- From: Markus Ernst <derernst@gmx.ch>
- Date: Tue, 06 Jul 2010 10:40:50 +0200
Am 05.07.2010 22:50 schrieb Aryeh Gregor: > On Mon, Jul 5, 2010 at 1:13 PM, Markus Ernst <derernst at gmx.ch> wrote: >> Some content from an external specialized content provider is included in >> an existing web site via an iframe. This cannot be seamless, as the links >> in the iframe must point to the original domain of the included document. >> But in order to avoid double scroll bars, it would be desirable to have the >> height of the iframe adjusted to it's content. > > This use-case is inherently insecure. An iframe's height cannot > depend on the contents of a cross-origin page unless that origin > explicitly opts in somehow. Thank you and Boris for your examples. I see the security issues. Anyway It would be very helpful in cases like mine, where security and privacy are not affected, to get an easy way to do this opt-in without the need of complex scripting, and independent from @seamless. Embedding content from external providers looks like a quite common case to me, and an easy opt-in mechanism would help both the customers and the providers of embedded content. Am 05.07.2010 22:50 schrieb Aryeh Gregor: > On Mon, Jul 5, 2010 at 1:13 PM, Markus Ernst <derernst at gmx.ch> wrote: >> - Interpreting the CSS declaration display:block as the author's wish to get >> the iframe rendered like a block element is nothing but consistent. There >> has been no reason for authors to apply this declaration so far, but if >> anyone did, he/she wanted the rendering I suggest. If not (for example if >> the iframe is floating), he/she also applied dimensions, be it in the HTML >> or the CSS code. > > The author might or might not originally have wanted the behavior you > said, but in the end, the site doesn't render that way, and changing > the rendering like that would make the site look very different from > the way it looked before (= the final product that the author was > satisfied with and released). Am 06.07.2010 02:35 schrieb Boris Zbarsky: > Experience shows this to not be the case. People blindly apply CSS > without thinking through the implications as long as the current > rendering is "right"; I will bet money there are pages out there that > use display:block on iframes just to get linebreaks before/after and > will break if the sizing behavior changes. A BC problem with display:block would only occur if an author applied this declaration _without_ applying dimensions, which looks quite weird to me. I admit I have no statistics about this, and no means to get statistics. But I can hardly imagine that there are many pages like this out there, as the default dimensions that browsers apply to iframes are quite special. But anyway, I do not insist in this solution, it was just an idea that looked consistent to me as an author with little technical backgrownd knowledge.
Received on Tuesday, 6 July 2010 01:40:50 UTC