Yes, we're working to remove that as it is a security issue. See https://github.com/whatwg/html/issues/7327 and https://bugs.chromium.org/p/chromium/issues/detail?id=1260366 .
On Thu, Nov 18, 2021 at 12:57 PM Daniel Cheng <[email protected]> wrote: > Hm, I wasn't careful enough when I checked the spec yesterday, I guess. I > notice that <object> seems to fire an error event on HTTP error > <https://html.spec.whatwg.org/multipage/iframe-embed-object.html#:~:text=If%20the%20load%20failed%20(e.g.%20there%20was%20an%20HTTP%20404%20error%2C%20there%20was%20a%20DNS%20error)%2C%20fire%20an%20event%20named%20error%20at%20the%20element%2C%20then%20jump%20to%20the%20step%20below%20labeled%20fallback.>. > Is that not leaky in the same way? > > Daniel > > On Wed, 17 Nov 2021 at 12:16, K. Moon <[email protected]> wrote: > >> There's no generic way to do this, as it would leak information. I don't >> think this route is worth exploring. >> >> On Wed, Nov 17, 2021, 11:44 AM Tibor Goldschwendt <[email protected]> >> wrote: >> >>> We explored postMessages for a bit, too. IIUC, this would only solve the >>> success case properly though. But how do we know the iframe is broken? Not >>> receiving the postMessage could also mean the iframe hasn't completed >>> loading yet. >>> >>> On Wed, Nov 17, 2021 at 11:34 AM Domenic Denicola <[email protected]> >>> wrote: >>> >>>> The "error" event does not fire on iframes though, precisely because we >>>> don't want to leak information cross-origin. >>>> >>>> Pages generally deal with broken iframes, in cases where they need to, >>>> by noticing that the iframe has not sent them the message they expect. (Via >>>> parent.postMessage() from inside the iframe.) That is, they use an opt-in >>>> protocol where the iframed page must affirmatively decide what information >>>> to send cross-origin. >>>> >>>> On Wed, Nov 17, 2021 at 2:24 PM Daniel Cheng <[email protected]> >>>> wrote: >>>> >>>>> The iframe element supports "load" and "error event listeners. Is the >>>>> exact HTTP error needed? Or does the feature just need to know if it >>>>> succeed or not? >>>>> >>>>> Daniel >>>>> >>>>> On Wed, 17 Nov 2021 at 11:19, Tibor Goldschwendt <[email protected]> >>>>> wrote: >>>>> >>>>>> +Nasko Oskov <[email protected]> >>>>>> >>>>>> Thanks, Kahmy. Adding custom code in the browser process is another >>>>>> avenue I'm exploring. Generally though, how do pages deal with broken >>>>>> iframes? >>>>>> >>>>>> On Wed, Nov 17, 2021 at 6:39 AM K. Moon <[email protected]> wrote: >>>>>> >>>>>>> This would violate the same-origin policy, so I don't think you can >>>>>>> do this within Blink, but given this is a chrome: page, maybe you could >>>>>>> add >>>>>>> some code in the browser to give this information to you. >>>>>>> >>>>>>> On Tue, Nov 16, 2021, 4:40 PM Tibor Goldschwendt < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi Blink Dev! >>>>>>>> >>>>>>>> Is there any way to get the HTTP return code of a cross-domain >>>>>>>> iframe? FWIW, the hosting page has the chrome:// scheme while the >>>>>>>> iframe >>>>>>>> has https:// scheme. From my limited testing I receive the load >>>>>>>> <https://developer.mozilla.org/en-US/docs/Web/API/Window/load_event> >>>>>>>> event >>>>>>>> in all scenarios but couldn't find a way to query whether the load >>>>>>>> succeeded. I also tried window.addEventListener('error', ...) and >>>>>>>> iframe.addEventListener('error', ...) without any luck. >>>>>>>> >>>>>>>> Best regards, >>>>>>>> Tibor >>>>>>>> >>>>>>>> -- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "blink-dev" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to [email protected]. >>>>>>>> To view this discussion on the web visit >>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFgr3n%2B8i%2BNQNSJY0DFab9JrXG0QTq3W473t-beRtPYbLn1XjA%40mail.gmail.com >>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFgr3n%2B8i%2BNQNSJY0DFab9JrXG0QTq3W473t-beRtPYbLn1XjA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>> . >>>>>>>> >>>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "blink-dev" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFgr3nL-J4A0bQuXnU1Ns-eUYLNqVV65KZLeY3HuiPuBYQQmiQ%40mail.gmail.com >>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFgr3nL-J4A0bQuXnU1Ns-eUYLNqVV65KZLeY3HuiPuBYQQmiQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "blink-dev" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAF3XrKpDqd9ixPDOFiOu7NjMpmMm62nD0JxzBxyHfLmTJhr0PA%40mail.gmail.com >>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAF3XrKpDqd9ixPDOFiOu7NjMpmMm62nD0JxzBxyHfLmTJhr0PA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM0wra-wg98rHDRth9nSHHNnTyVx9o4Sx1R5SNGMzcV%2B70U9Mg%40mail.gmail.com.
