Am 05.07.2010 19:24 schrieb Adam Barth:
On Mon, Jul 5, 2010 at 10:13 AM, Markus Ernst <[email protected]> wrote:
First, this sounds somehow complicated to me, and second, I don't understand
why the dimensions of non-seamless iframes should not get the benefits of
author-friendly (and user-friendly) dimension handling.
One of the reasons is security: if we automatically sized iframes, an
attacker could learn things about documents in other origins.
I can't imagine how the information about the computed width and height
can be abused - would you mind giving an example?
A possible workaround to security issues could be an element to be set
in the included document, such as a meta tag that contains a comma
separated list of domains that are allowed to include the document, and
also get informations about dimensions and such. Some kind of:
<meta name="allow-embedding" content="whatwg.org, mozilla.com">
Also, if this is a potential danger, should the 2 list paragraphs about
width and height in the part on @seamless be removed at all? As far as I
understand, the effects of @seamless require the iframe source to be
from the same origin as the parent document, thus I think that width and
height of an iframe should be computed independent from @seamless. Else,
the whole page layout is likely to change if the iframe source is
navigated from a same-origin document to one from another origin.
Another reason is compatibility: changing how frames layout would likely
break the layout of a large number of web sites.
I don't think the 2 solutions I proposed would do any BC harm:
- Inventing a new attribute does not affect legacy browsers (as they
will ignore it), nor legacy pages (as they don't have it).
- Interpreting the CSS declaration display:block as the author's wish to
get the iframe rendered like a block element is nothing but consistent.
There has been no reason for authors to apply this declaration so far,
but if anyone did, he/she wanted the rendering I suggest. If not (for
example if the iframe is floating), he/she also applied dimensions, be
it in the HTML or the CSS code.
