On 02/26/2015 04:34 AM, Alix Pexton wrote:
My understanding of the argument against doing this is that it would be
a potential security hole. If the content of an iframe could control its
size it could theoretically hijack the parent page.
Instead, I would consider using JS to load and insert the content, or
generate the composite page on the sever.
Ehh, I'm not sure I buy that.
1. I don't see how the inner content could "squeeze out" the outer page
unless the iframe/external-div/whatever is the very first piece of
content on the page. Which is highly unlikely since pretty much every
site at least has some header logo/banner/menu or something.
2. Using JS to fill an element or server-side compositing suffers from
the same theoretical issue too. So really it has nothing to do with
iframes and everything to do with embedding external content (which has
become ubiquitous anyway, what with ads, jquery, various google tools,
disqus, twit/face share widgets, etc.)
Sure, with JS or server-side compositing, there's at least the
possibility of sanitizing the inner content first, but that'd be a
heuristic mess, and perhaps a pointless bother anyway since...
3. Even if all else fails, the outer page's author should easily be able
to mitigate such a problem with a reasonable max-width/max-height.
I think the big thing though is the "really it has nothing to do with
iframes and everything to do with embedding external content".
