On Wed, 27 Jan 2016 12:56:55 +0100, Craig Francis <craig.francis@gmail.com> wrote: > On 26 Jan 2016, at 19:23, Tab Atkins Jr. <jackalmage@gmail.com> wrote: > >> Some quick conversation with fantasai suggests a few routes that we >> could take that would avoid a new property: > > > > > Thanks TJ, > > Personally I like the idea of "height: auto" on an iframe, where the UA > stylesheet sets it to 150px, but completely understand that > compatibility might be an issue there (even if developers are doing this > just to get this specific behaviour). I suspect height:auto won't be Web compatible. For one thing, I believe it would change the heights of iframes for pages that do * { box-sizing: border-box; } > Having said that, as the child document will need to opt-in to this, > then maybe this won't be a problem? > > From my understanding, the opt-in is required as someone malicious could > iframe another website where the user might be logged in, and depending > on if they are logged in or not, the height of the document might be > different. > > CORS might work, and uses existing technology, but this does require an > additional HTTP request (not so good for performance)... so maybe there > as other options? I was thinking of the X-Frame-Options header, but this > seems to be moving to CSP2 frame-ancestors[1] CORS doesn't require an extra request for normal GETs. But I think we should investigate the use cases for cross-origin autoresize more first; maybe using CORS is not suitable because it would expose "too much", and autoresize was the only thing people wanted to enable? > But if this doesn't work, then "height: max-content" would also be > perfectly fine for me (I just don't want to continue setting up more > iframes, with 2 JavaScript files, just to avoid a scroll bar). height:max-content WFM. -- Simon Pieters Opera SoftwareReceived on Wednesday, 27 January 2016 13:04:05 UTC
This archive was generated by hypermail 2.4.0 : Monday, 23 January 2023 02:14:56 UTC