W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2010

[whatwg] Iframe dimensions

From: Markus Ernst <derernst@gmx.ch>
Date: Tue, 16 Nov 2010 21:20:25 +0100
Message-ID: <4CE2E789.90700@gmx.ch>
Am 16.11.2010 19:12 schrieb Tab Atkins Jr.:
> On Tue, Nov 16, 2010 at 10:06 AM, Boris Zbarsky<bzbarsky at mit.edu>  wrote:
>> On 11/16/10 12:56 PM, Tab Atkins Jr. wrote:
>>>> - it is applicable at the client side without scripting
>>>
>>> This is not possible, for the simple reason that the whole point of
>>> CORS is to protect server resources.  If you could deal with CORS
>>> purely on the client side, you'd be allowing the page author to
>>> determine if they themself are allowed to access a file on another
>>> server.  That's a pretty obvious inversion of responsibility.  ^_^
>>
>> Well, more precisely there is nothing that needs to be done on the client
>> side for CORS, right?
>
> Ah, if that's what Markus was getting at, then yes.  CORS requires
> *zero* work on the client side, since it's completely done in the
> server-browser interaction.  The entirety of the client's interaction
> in the process is the initial request for a resource.

That is great news. Adding a header via a server-side script is indeed 
easy enough.

(As I did not find any HTML attributes or whatever in the CORS spec, I 
was afraid that the use of XHR would be necessary to call a cross-origin 
page in an Iframe - which looked like a huge overhead and also an 
accessibility issue to me.)
Received on Tuesday, 16 November 2010 12:20:25 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:28 UTC