- From: Craig Francis <craig.francis@gmail.com>
- Date: Mon, 22 Feb 2016 11:56:29 +0000
- To: Xidorn Quan <quanxunzhen@gmail.com>
- Cc: Lea Verou <lea@verou.me>, Ojan Vafai <ojan@chromium.org>, Simon Fraser <smfr@me.com>, "Tab Atkins Jr." <jackalmage@gmail.com>, www-style list <www-style@w3.org>, Aleks Totic <atotic@google.com>, Elliott Sprehn <esprehn@google.com>, Ian Kilpatrick <ikilpatrick@google.com>
On 22 Feb 2016, at 09:06, Xidorn Quan <quanxunzhen@gmail.com> wrote:
>
> On Mon, Feb 22, 2016 at 4:35 PM, Lea Verou <lea@verou.me> wrote:
>> Regarding the security issues, CORS could be one solution, but not a great
>> one as few websites enable it. What about not being able to read the
>> computed height if the iframe is cross-origin? Similarly to how one can't
>> read the computed style applied with :visited.
>
> Impossible. It is too many ways to know the height of an element,
> given it affects layout. Applying restriction to ":visited" is
> possible because we restrict that only "color" is applied for
> ":visited", nothing else. And even for this very simple case (only
> paint is affected), large complexity has been added, at least in
> Gecko.
I believe the current proposal is to use a new header (even if temporary):
Expose-Height-Cross-Origin: 1;
The discussion is at:
https://github.com/whatwg/html/issues/555#issuecomment-177797476
And thanks Lea, I realise I was going off on a bit of a tangent there :-)
Craig
Received on Monday, 22 February 2016 11:57:06 UTC