Re: Seamless transclusion of complex replaced elements

On Feb 20, 2008, at 7:01 AM, Justin Rogers wrote:

> I apologize in advance if I'm reading too much into the use of auto- 
> sizing, but...
>
> Any specification should be very careful when giving the IFRAME  
> element or any element that renders variable and cross domain  
> content the ability to auto-size based on the content itself. If  
> you do this I can now predict based on the final size of the  
> element the contents of the page in the element. You could call  
> this a minor cross domain hole, but information disclosure like  
> this is becoming the new mechanism for targeting users with  
> convincing phishing attacks.
>

Couldn't that be solved by not giving the document in the IFRAME  
JavaScript access to things like the document's or body's  
clientHeight, offsetHeight, scrollTop, scrollHeight, etc. unless it  
adhered to the same domain policy? Or (to avoid breakage), providing  
values for those things that assume a height that was as tall as it  
needed to be for no scrolling (if not in same domain)?

Received on Wednesday, 20 February 2008 15:54:46 UTC