- From: Dmitry Titov <dimich@chromium.org>
- Date: Tue, 17 Apr 2012 20:35:54 -0700
Would some sort of a same-origin policy help here? If both the iframe and parent document are same origin, can it be done, at least for the reparenting in the same JS execution block? Most (all?) of the security issues were specifically cross-origin. But yes, there are a lot of assumptions in the code about not only iframes, but most active objects to function only while they are connected all the way through to the valid DOM. There is too many APIs (and new ones are coming all the time) who pick up that assumption. It is not impossible, just a lot of work. Dmitry On Tue, Apr 17, 2012 at 4:06 PM, Ojan Vafai <ojan at chromium.org> wrote: > I think this only worked for the magic iframe solution because it was > cross-document. Talked to Adam offline. It sounded like the problems that > didn't stem from cross-document issues had to do with assumptions that > rendered iframes are always attach to the DOM. Not sure what we can do > about that other than fixing all the bugs. > > I considered that we could wait until the end of the microtask (task?), and > only unload keepalive iframes if they are still detached, but in the > presence of sync javascript events, I'm not sure that actually reduces any > implementation complexity. > > Ojan > > On Mon, Apr 16, 2012 at 4:51 PM, Darin Fisher <darin at chromium.org> wrote: > > > Can you hide this behind adoptNode just as we did for "magic iframe"? > The > > nice thing about adoptNode is that the browser gets told both the source > > and > > destination parent nodes. This way there is never a disconnected state. > > > > So long as we unload when moving between documents, we should be pretty > > safe as far as the issues which plagued magic iframe are concerned. > > > > -Darin > > > > > > On Thu, Apr 12, 2012 at 12:35 PM, Ojan Vafai <ojan at chromium.org> wrote: > > > >> We should add a keepalive attribute to iframes that prevents iframes > from > >> being unloaded/reloaded when removed from or appended to a document. > >> Similarly, a disconnected iframe with keepalive should load. If the > >> keepalive attribute is removed from a disconnected iframe, then it > should > >> unload. > >> > >> I'm not terribly happy with the name 'keepalive', but I can't think of > >> anything better at the moment. > >> > >> As iframes increasingly become the standard way of achieving certain > tasks > >> (e.g. sandboxing), it's increasingly important to be able to move them > >> around in the DOM. Right now, to achieve this sort of keepalive > behavior, > >> you have to keep the iframe always appended to the document and position > >> it > >> absolutely as the document changes. > >> > >> Ojan > >> > > > > >
Received on Tuesday, 17 April 2012 20:35:54 UTC