- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 12 Apr 2012 12:49:47 -0700
On Thu, Apr 12, 2012 at 12:46 PM, Anne van Kesteren <annevk at opera.com> wrote: > On Thu, 12 Apr 2012 21:30:00 +0200, Ojan Vafai <ojan at chromium.org> wrote: >> We should add a crossorigin property on iframe that causes the request to >> use CORS. If it's an allowed cross-domain request, then the page should >> have access to the DOM of the frame. >> >> Also, seamless should work (assuming the CORS request succeeded of >> course). One tricky thing here is that seamless needs to stop working if >> the frame is navigated to a different origin to which it does not have >> CORS access. > > This cannot work. CORS only works for sharing a single resource. If you > expose a DOM on a different origin that *entire* origin would be exposed, > which would be way more than CORS allows for. You'll have to use a > postMessage()-based workaround I'm afraid. The seamless part might be workable, since that leaks information only from the document in question. It's possible that there's a better mechanism than CORS for a child frame to opt into being seamless with its parent. Adam
Received on Thursday, 12 April 2012 12:49:47 UTC