- From: Markus Ernst <derernst@gmx.ch>
- Date: Sun, 27 May 2012 14:23:19 +0200
- To: Adam Barth <w3c@adambarth.com>
- Cc: whatwg <whatwg@lists.whatwg.org>, Eric Seidel <eric@webkit.org>, Ojan Vafai <ojan@chromium.org>
Am 27.05.2012 12:19 schrieb Adam Barth: > On Sun, May 27, 2012 at 3:00 AM, Markus Ernst<derernst@gmx.ch> wrote: >> Am 27.05.2012 02:16 schrieb Adam Barth: >>> I've added a proposal to the wiki >>> <http://wiki.whatwg.org/wiki/AllowSeamless> about letting a document >>> indicate that it is willing to be displayed seamlessly with a >>> cross-origin parent. This proposal is a refinement of the approach >>> previously discussed in this thread: >>> <http://old.nabble.com/crossorigin-property-on-iframe-td33677754.html>. >>> >>> Let me know if you have any feedback. >> >> I have a strong feeling that per-origin control should be made easy for >> authors. I must admit that I am not familiar with the mechanisms you name, >> Frame-Options and ancestor-origins - and both are quite hard to google for. >> From what I found I assume both are about HTTP headers. >> >> If they are solutions that can be used easily with server-side languages >> such as PHP, I think we can live with it. But anyway it is a complication; >> I'd personnally prefer something like >> allowseemles="example.org, *.example.org, shop.otherdomain.com" >> >> Or maybe space separated, and separate inherit-style with comma: >> allowseemles="example.org *.example.org shop.otherdomain.com, inherit-style" >> >> (Regardless of whether it is in the HTML element or in a META element.) > > I had difficulty coming up with use cases that weren't better served > with frame-ancestors and/or Frame-Options. Do you have a specific use > case in mind to explain your feelings? My use case is a content provider, who provides e.g. a Sudoku application or a weather forecast for wind surfers. Paying customers are allowed to embed the content seamlessly in their web sites. The content can also be embedded for free, but not seamlessly. The content provider includes some corporate info, such as his/her own logo, and a "provided by XY" notice and link to his/her own page. The paying customers then can apply their own styling, and set the corporate info to "display:none" in the style sheet of the top document, via seamless embedding.
Received on Sunday, 27 May 2012 12:24:42 UTC