W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2012

[whatwg] crossorigin property on iframe

From: Ojan Vafai <ojan@chromium.org>
Date: Thu, 12 Apr 2012 13:17:50 -0700
Message-ID: <CANMdWTvZUN+3wCqF1p1x4m2ViZWoHZeD=5Pf-ns454CFWrMxig@mail.gmail.com>
On Thu, Apr 12, 2012 at 1:07 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:

> On 4/12/12 3:49 PM, Adam Barth wrote:
>> The seamless part might be workable, since that leaks information only
>> from the document in question.  It's possible that there's a better
>> mechanism than CORS for a child frame to opt into being seamless with
>> its parent.
> Yes, I agree that having a way for a child to opt into being seamless is
> desirable.  That doesn't have the problems direct DOM access does.

OK, I'm convinced that direct DOM access is a bad idea. seamless was the
use-case I most cared about anyways. In theory, if we use seamless + CORS
for the @src load and any navigations of the frame (including via
Location), then this should be feasible, yes?

Alternately, we could add a special http header and/or meta tag for this,
like x-frame-options, but for the child frame to define it's relationship
to the parent frame.

Received on Thursday, 12 April 2012 13:17:50 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:41 UTC