On 02/26/2015 02:51 PM, Adam D. Ruppe wrote:
I don't think it is a security hole, but websites typically do not get
to set their viewport - the window size is under the user's control.
(one of the few things they have left under the user's control!)
So if you told a site to set its own size... it wouldn't really know
what that is most the time. At least widths tend to be fluid and
variable. Heights sometimes are set dynamically too.
There's solutions to this - the containing page might set it to a width,
then let the height be fluid.
Yea, that's kinda what I had in mind anyway. All these "embedded widget"
things are such a major thing now, and I totally get their appeal and
value (want X feature on your site? Just copy/paste this snippet into
your page REGARDLESS of your server's language/engine!) But so much of
it is done with JS, which is totally unnecessary. Most such things can
easily be no-JS iframes (and I guess some are), but one problem is stuff
like disqus that needs to grow/expand vertically. Traditional iframe
can't really handle that. Looks like HTML5 iframes, thanks to the
seamless attribute, WILL be able to handle something like disqus just
fine with NO js, but looks like seamless is still rather cutting edge
and spotty compatibility despite having been a thing for several years
already. Maybe it can be managed well enough with CSS tweakery though,
for browsers that aren't ultra cutting edge.
That's what most the JS solutions do and
it works pretty well. But maybe that still feels too hacky for the
standards committees, or is just messy to implement for the browser
developers.
