[whatwg] Making cross-domain overlays more user-friendly

[Rowan Nairn]

Hi,

In the spirit of paving some cow paths I'd like to put forward a
proposal for a future version of HTML.  The behavior I'm addressing is
sites that replace links to external content with a framed version of
that content, along with their own overlay of information and links.
I think with some small tweaks it's possible to create a better
experience for the user in these situations.  I wasn't able to find
any discussion of this use case in the archives.  Please excuse me if
this has already been discussed.

Popular websites which often frame other sites instead of linking directly:
- facebook
- ow.ly
- stumbleupon
- digg

Current practice:
- User follows a link which may look like it will take them to
destination-site.com
- Instead they get a page from overlay-site.com with the page from
destination-site.com loaded in an iframe
- The viewport contains the destination-site.com frame taking up most
of the space, plus some "chrome" from overlay-site.com
- The overlay may be completely disjoint from the framed content or
overlapping it slightly
- The overlay may contain information about the framed content,
including URL, title or data specific to overlay-site.com
- The overlay may contain links to further act on the framed URL or
return to overlay-site.com
- The overlay may contain a "close this overlay" button which sets the
location of the window to the framed URL
- Performing actions in the overlay may cause it to increase in size
relative to the framed content, or show dialogs above the framed
content

Problems for user:
- URL of framed page is often hidden
- Navigation in framed page does not get rid of the overlay (without
explicit frame breaking)
- It may not be obvious how to get rid of the overlay
- After the user navigates within the frame, information in the
overlay no longer applies to framed content
- Getting rid of the overlay means refreshing the framed page, either
losing scroll position, or having navigated to another page, possibly
losing the page entirely.
- Framed content may use javascript to detect and break out of frame,
denying the user access to the overlay information
- Malicious overlay sites may try to cause the user to disclose
passwords or private information to them

Requirements:
- address the problems above
- don't introduce new security issues like susceptibility to phishing attacks
- don't rely on a lot of extra effort on the part of web designers
- degrade gracefully in legacy browsers

A Proposal:

I would be interested to hear any ideas for addressing this use case
better.  My idea is as follows:
- Add one new attribute to iframe
  e.g. <iframe src="http://destination-site.com/" main></iframe>
- Add one new method to iframe:
  e.g. removeOverlay()

Effect of <iframe main>:
- The main URL bar should display the framed URL i.e.
http://destination-site.com/
- The browser should display some chrome around any elements from the
overlay page that signify them as foreign to the framed content
- Possibly the browser should display the URL of the overlay somewhere
- The browser should have a built-in button for getting rid of the overlay
- Pressing this button would promote the framed content to the top
level window, retaining state like scroll position
- a iframe.removeOverlay() method should be available in the overlay
page which performs the equivalent of this button
- Navigation within the framed content should have target=_top implied
by default so that navigation always removes the overlay
- The framed content should not be aware that it is framed i.e. its
window object should equal its top object

This proposal would allow current practices to still work but, with
the addition of a single attribute, make the experience better for
users.  Are there any browser vendors interested in implementing such
a feature?

Cheers,
Rowan