W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2012

[whatwg] crossorigin property on iframe

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 12 Apr 2012 21:46:36 +0200
Message-ID: <op.wcn3vyow64w2qv@annevk-macbookpro.local>
On Thu, 12 Apr 2012 21:30:00 +0200, Ojan Vafai <ojan at chromium.org> wrote:
> We should add a crossorigin property on iframe that causes the request to
> use CORS. If it's an allowed cross-domain request, then the page should
> have access to the DOM of the frame.
> Also, seamless should work (assuming the CORS request succeeded of
> course). One tricky thing here is that seamless needs to stop working if
> the frame is navigated to a different origin to which it does not have  
> CORS access.

This cannot work. CORS only works for sharing a single resource. If you  
expose a DOM on a different origin that *entire* origin would be exposed,  
which would be way more than CORS allows for. You'll have to use a  
postMessage()-based workaround I'm afraid.

Anne van Kesteren
Received on Thursday, 12 April 2012 12:46:36 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:41 UTC