- From: Mikko Rantalainen <mikko.rantalainen@peda.net>
- Date: Mon, 03 Dec 2012 09:56:41 +0200
- To: whatwg@lists.whatwg.org
Ian Hickson, 2012-12-01 04:57 (Europe/Helsinki): > ...and Adam Barth posted some on the wiki: >> Expandable Advertisement: A publisher wishes to display an advertisement >> that expands when the user interacts with the advertisement. Today, the >> common practice is for the advertising network to run script in the >> publisher's page that receives postMessage instructions to resize the >> advertisement's iframe, but this requires that the publisher allow the >> advertisement to run script in its page, potentially compromising the >> publisher's security. > > It seems to me like the best solution is to have a new HTTP header, with > the four following values being allowed: > > Seamless-Options: allow-shrink-wrap > Seamless-Options: allow-styling > Seamless-Options: allow-shrink-wrap allow-styling > Seamless-Options: allow-styling allow-shrink-wrap Not that I fancy for expendable advertisement, but I fail to see how that is supposed to work with those headers. Basically I think that in such case, the host document should be able to specify something like following: (1) I want to embed a seamless untrusted iframe here, and (2) iframe should have maximum size of e.g. 480x240 pixels (or any size set via CSS max-width/max-height). However, if user interacts (I guess moving focus inside the iframe is enough) with the iframe, then max-width and max-height are set to "expanded state" (whatever that means). Is it possible for host document to detect that the focus is within the iframe from cross-origin location? If yes, then all we need is cross-origin seamless iframe and a host document script that increases the max-width and max-height limitations for the seamless iframe. Does there need to be any support for expendable seamless iframe without scripting? -- Mikko
Received on Monday, 3 December 2012 08:17:23 UTC