W3C home > Mailing lists > Public > www-style@w3.org > February 2016

Re: Allow auto-resize on iframe

From: Craig Francis <craig.francis@gmail.com>
Date: Mon, 22 Feb 2016 11:56:29 +0000
Cc: Lea Verou <lea@verou.me>, Ojan Vafai <ojan@chromium.org>, Simon Fraser <smfr@me.com>, "Tab Atkins Jr." <jackalmage@gmail.com>, www-style list <www-style@w3.org>, Aleks Totic <atotic@google.com>, Elliott Sprehn <esprehn@google.com>, Ian Kilpatrick <ikilpatrick@google.com>
Message-Id: <E2F4847E-10CD-406F-ABE0-248A032C2787@gmail.com>
To: Xidorn Quan <quanxunzhen@gmail.com>
On 22 Feb 2016, at 09:06, Xidorn Quan <quanxunzhen@gmail.com> wrote:
> 
> On Mon, Feb 22, 2016 at 4:35 PM, Lea Verou <lea@verou.me> wrote:
>> Regarding the security issues, CORS could be one solution, but not a great
>> one as few websites enable it. What about not being able to read the
>> computed height if the iframe is cross-origin? Similarly to how one can't
>> read the computed style applied with :visited.
> 
> Impossible. It is too many ways to know the height of an element,
> given it affects layout. Applying restriction to ":visited" is
> possible because we restrict that only "color" is applied for
> ":visited", nothing else. And even for this very simple case (only
> paint is affected), large complexity has been added, at least in
> Gecko.



I believe the current proposal is to use a new header (even if temporary):

    Expose-Height-Cross-Origin: 1;

The discussion is at:

https://github.com/whatwg/html/issues/555#issuecomment-177797476

And thanks Lea, I realise I was going off on a bit of a tangent there :-)

Craig
Received on Monday, 22 February 2016 11:57:06 UTC

This archive was generated by hypermail 2.4.0 : Friday, 25 March 2022 10:09:00 UTC