On Thu, 12 Apr 2012 22:17:50 +0200, Ojan Vafai <[email protected]> wrote:
OK, I'm convinced that direct DOM access is a bad idea. seamless was the
use-case I most cared about anyways. In theory, if we use seamless + CORS
for the @src load and any navigations of the frame (including via
Location), then this should be feasible, yes?
Alternately, we could add a special http header and/or meta tag for this,
like x-frame-options, but for the child frame to define it's relationship
to the parent frame.
The problem with CORS might be that if you want to expose content for
embedding with seamless that depends on credentials, XMLHttpRequest can
request that information then too. As a developer trying to make seamless
work cross-origin you might not anticipate that.
On the other hand, the enormous growing number of one-off flags developers
can attach to resources for various features is starting to get worrisome.
--
Anne van Kesteren
http://annevankesteren.nl/
