W3C home > Mailing lists > Public > www-style@w3.org > February 2016

Re: [OT] Allow auto-resize on iframe

From: Xidorn Quan <quanxunzhen@gmail.com>
Date: Mon, 22 Feb 2016 17:06:25 +0800
Message-ID: <CAMdq69_Nt1AKKjJetgzVbKAwyYfrmjbZ_nQ_Hd12NmHZrtEQ9Q@mail.gmail.com>
To: Lea Verou <lea@verou.me>
Cc: Craig Francis <craig.francis@gmail.com>, Ojan Vafai <ojan@chromium.org>, Simon Fraser <smfr@me.com>, "Tab Atkins Jr." <jackalmage@gmail.com>, www-style list <www-style@w3.org>, Aleks Totic <atotic@google.com>, Elliott Sprehn <esprehn@google.com>, Ian Kilpatrick <ikilpatrick@google.com>
On Mon, Feb 22, 2016 at 4:35 PM, Lea Verou <lea@verou.me> wrote:
> Regarding the security issues, CORS could be one solution, but not a great
> one as few websites enable it. What about not being able to read the
> computed height if the iframe is cross-origin? Similarly to how one can't
> read the computed style applied with :visited.

Impossible. It is too many ways to know the height of an element,
given it affects layout. Applying restriction to ":visited" is
possible because we restrict that only "color" is applied for
":visited", nothing else. And even for this very simple case (only
paint is affected), large complexity has been added, at least in
Gecko.

Even for :visited, people continuously find methods to bypass the
restriction (and actually there exists working approach to do so at
this moment). Affecting layout means it is much much much more
difficult to restrict.

- Xidorn
Received on Monday, 22 February 2016 09:07:52 UTC

This archive was generated by hypermail 2.4.0 : Friday, 25 March 2022 10:09:00 UTC