Re: [OT] Allow auto-resize on iframe

On Mon, Feb 22, 2016 at 4:35 PM, Lea Verou <> wrote:
> Regarding the security issues, CORS could be one solution, but not a great
> one as few websites enable it. What about not being able to read the
> computed height if the iframe is cross-origin? Similarly to how one can't
> read the computed style applied with :visited.

Impossible. It is too many ways to know the height of an element,
given it affects layout. Applying restriction to ":visited" is
possible because we restrict that only "color" is applied for
":visited", nothing else. And even for this very simple case (only
paint is affected), large complexity has been added, at least in

Even for :visited, people continuously find methods to bypass the
restriction (and actually there exists working approach to do so at
this moment). Affecting layout means it is much much much more
difficult to restrict.

- Xidorn

Received on Monday, 22 February 2016 09:07:52 UTC