- From: Xidorn Quan <quanxunzhen@gmail.com>
- Date: Mon, 22 Feb 2016 17:06:25 +0800
- To: Lea Verou <lea@verou.me>
- Cc: Craig Francis <craig.francis@gmail.com>, Ojan Vafai <ojan@chromium.org>, Simon Fraser <smfr@me.com>, "Tab Atkins Jr." <jackalmage@gmail.com>, www-style list <www-style@w3.org>, Aleks Totic <atotic@google.com>, Elliott Sprehn <esprehn@google.com>, Ian Kilpatrick <ikilpatrick@google.com>
On Mon, Feb 22, 2016 at 4:35 PM, Lea Verou <lea@verou.me> wrote: > Regarding the security issues, CORS could be one solution, but not a great > one as few websites enable it. What about not being able to read the > computed height if the iframe is cross-origin? Similarly to how one can't > read the computed style applied with :visited. Impossible. It is too many ways to know the height of an element, given it affects layout. Applying restriction to ":visited" is possible because we restrict that only "color" is applied for ":visited", nothing else. And even for this very simple case (only paint is affected), large complexity has been added, at least in Gecko. Even for :visited, people continuously find methods to bypass the restriction (and actually there exists working approach to do so at this moment). Affecting layout means it is much much much more difficult to restrict. - Xidorn
Received on Monday, 22 February 2016 09:07:52 UTC