On Sat, May 26, 2012 at 10:13 PM, Maciej Stachowiak <[email protected]> wrote: > On May 26, 2012, at 5:16 PM, Adam Barth <[email protected]> wrote: >> I've added a proposal to the wiki >> <http://wiki.whatwg.org/wiki/AllowSeamless> about letting a document >> indicate that it is willing to be displayed seamlessly with a >> cross-origin parent. This proposal is a refinement of the approach >> previously discussed in this thread: >> <http://old.nabble.com/crossorigin-property-on-iframe-td33677754.html>. >> >> Let me know if you have any feedback. > > Hi Adam, > > Seems like your use case is well motivated. Two points of feedback: > > 1) In the Alternatives section, you didn't talk about the alternative of a > newly created HTTP header, or else extending one of the headers already > affecting embedding security, or in general the tradeoffs of header vs. > signifier inside the HTML document to be embedded. I don't have a particular > pre-existing opinion on this, but it seems like at least some of the > precedent in this case is based on HTTP headers, and it would be good to > understand the tradeoffs.
I included some discussion of the Content-Security-Policy header. Is there another HTTP header that you think would be appropriate to extend with this information? I guess there's a case to be made for including it in Frame-Options. I've sort of been hoping we can merge Frame-Options back into Content-Security-Policy, but that challenge is more social than technical. > 2) It seems like, even if it might not be appropriate to require CORS for > this use case, it seems like allowing CORS access should at least be > sufficient even if not necessary. In other words, if you are prepared to use > CORS anyway for other reasons, then it seems like that should also allow > seamless embedding. But perhaps this makes the model too complicated. In order for the CORS check to pass, we'd need to introduce a crossorigin attribute for iframes (like we've done for images and scripts). We might end up doing that anyway, and if/when we do, maybe it would be appropriate to have that allow seamless. However, there's still problem (2) from the wiki regarding leaking information about subresources. Adam
