- From: Adam Barth <w3c@adambarth.com>
- Date: Sun, 27 May 2012 00:38:30 -0700
- To: Maciej Stachowiak <mjs@apple.com>
- Cc: whatwg <whatwg@lists.whatwg.org>, Eric Seidel <eric@webkit.org>, Ojan Vafai <ojan@chromium.org>
On Sat, May 26, 2012 at 10:13 PM, Maciej Stachowiak <mjs@apple.com> wrote: > On May 26, 2012, at 5:16 PM, Adam Barth <w3c@adambarth.com> wrote: >> I've added a proposal to the wiki >> <http://wiki.whatwg.org/wiki/AllowSeamless> about letting a document >> indicate that it is willing to be displayed seamlessly with a >> cross-origin parent. This proposal is a refinement of the approach >> previously discussed in this thread: >> <http://old.nabble.com/crossorigin-property-on-iframe-td33677754.html>. >> >> Let me know if you have any feedback. > > Hi Adam, > > Seems like your use case is well motivated. Two points of feedback: > > 1) In the Alternatives section, you didn't talk about the alternative of a newly created HTTP header, or else extending one of the headers already affecting embedding security, or in general the tradeoffs of header vs. signifier inside the HTML document to be embedded. I don't have a particular pre-existing opinion on this, but it seems like at least some of the precedent in this case is based on HTTP headers, and it would be good to understand the tradeoffs. I included some discussion of the Content-Security-Policy header. Is there another HTTP header that you think would be appropriate to extend with this information? I guess there's a case to be made for including it in Frame-Options. I've sort of been hoping we can merge Frame-Options back into Content-Security-Policy, but that challenge is more social than technical. > 2) It seems like, even if it might not be appropriate to require CORS for this use case, it seems like allowing CORS access should at least be sufficient even if not necessary. In other words, if you are prepared to use CORS anyway for other reasons, then it seems like that should also allow seamless embedding. But perhaps this makes the model too complicated. In order for the CORS check to pass, we'd need to introduce a crossorigin attribute for iframes (like we've done for images and scripts). We might end up doing that anyway, and if/when we do, maybe it would be appropriate to have that allow seamless. However, there's still problem (2) from the wiki regarding leaking information about subresources. Adam
Received on Sunday, 27 May 2012 07:39:47 UTC