W3C home > Mailing lists > Public > whatwg@whatwg.org > December 2012

Re: [whatwg] Making cross-origin <iframe seamless=""> (partly) usable

From: Mikko Rantalainen <mikko.rantalainen@peda.net>
Date: Mon, 03 Dec 2012 09:56:41 +0200
Message-ID: <50BC5B39.8040104@peda.net>
To: whatwg@lists.whatwg.org
Ian Hickson, 2012-12-01 04:57 (Europe/Helsinki):
> ...and Adam Barth posted some on the wiki:
>> Expandable Advertisement: A publisher wishes to display an advertisement 
>> that expands when the user interacts with the advertisement. Today, the 
>> common practice is for the advertising network to run script in the 
>> publisher's page that receives postMessage instructions to resize the 
>> advertisement's iframe, but this requires that the publisher allow the 
>> advertisement to run script in its page, potentially compromising the 
>> publisher's security.
> 
> It seems to me like the best solution is to have a new HTTP header, with 
> the four following values being allowed:
> 
>    Seamless-Options: allow-shrink-wrap
>    Seamless-Options: allow-styling
>    Seamless-Options: allow-shrink-wrap allow-styling
>    Seamless-Options: allow-styling allow-shrink-wrap

Not that I fancy for expendable advertisement, but I fail to see how
that is supposed to work with those headers. Basically I think that in
such case, the host document should be able to specify something like
following:

(1) I want to embed a seamless untrusted iframe here, and
(2) iframe should have maximum size of e.g. 480x240 pixels (or any size
set via CSS max-width/max-height). However, if user interacts (I guess
moving focus inside the iframe is enough) with the iframe, then
max-width and max-height are set to "expanded state" (whatever that means).

Is it possible for host document to detect that the focus is within the
iframe from cross-origin location? If yes, then all we need is
cross-origin seamless iframe and a host document script that increases
the max-width and max-height limitations for the seamless iframe.

Does there need to be any support for expendable seamless iframe without
scripting?

-- 
Mikko
Received on Monday, 3 December 2012 08:17:23 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:50 UTC