On 22 Feb 2016, at 09:06, Xidorn Quan <quanxunzhen@gmail.com> wrote: > > On Mon, Feb 22, 2016 at 4:35 PM, Lea Verou <lea@verou.me> wrote: >> Regarding the security issues, CORS could be one solution, but not a great >> one as few websites enable it. What about not being able to read the >> computed height if the iframe is cross-origin? Similarly to how one can't >> read the computed style applied with :visited. > > Impossible. It is too many ways to know the height of an element, > given it affects layout. Applying restriction to ":visited" is > possible because we restrict that only "color" is applied for > ":visited", nothing else. And even for this very simple case (only > paint is affected), large complexity has been added, at least in > Gecko. I believe the current proposal is to use a new header (even if temporary): Expose-Height-Cross-Origin: 1; The discussion is at: https://github.com/whatwg/html/issues/555#issuecomment-177797476 And thanks Lea, I realise I was going off on a bit of a tangent there :-) CraigReceived on Monday, 22 February 2016 11:57:06 UTC
This archive was generated by hypermail 2.4.0 : Monday, 23 January 2023 02:14:57 UTC