On May 26, 2012, at 5:16 PM, Adam Barth <[email protected]> wrote: > Hi whatwg, > > I've added a proposal to the wiki > <http://wiki.whatwg.org/wiki/AllowSeamless> about letting a document > indicate that it is willing to be displayed seamlessly with a > cross-origin parent. This proposal is a refinement of the approach > previously discussed in this thread: > <http://old.nabble.com/crossorigin-property-on-iframe-td33677754.html>. > > Let me know if you have any feedback.
Hi Adam, Seems like your use case is well motivated. Two points of feedback: 1) In the Alternatives section, you didn't talk about the alternative of a newly created HTTP header, or else extending one of the headers already affecting embedding security, or in general the tradeoffs of header vs. signifier inside the HTML document to be embedded. I don't have a particular pre-existing opinion on this, but it seems like at least some of the precedent in this case is based on HTTP headers, and it would be good to understand the tradeoffs. 2) It seems like, even if it might not be appropriate to require CORS for this use case, it seems like allowing CORS access should at least be sufficient even if not necessary. In other words, if you are prepared to use CORS anyway for other reasons, then it seems like that should also allow seamless embedding. But perhaps this makes the model too complicated.
