[whatwg] The <iframe> element and sandboxing ideas

[Ian Hickson]

On Sat, 24 May 2008, Ojan Vafai wrote:
> 
> So, the whole point of these is defining elements that are isolated from 
> their surrounding context on different axes. Same origin iframes 
> currently just give you CSS isolation. sandbox affords script isolation. 
> seamless affords the ability to turn off the CSS isolation.
> 
> Seems to me that we need a third property which controls event 
> isolation. Currently events don't propagate in/out of iframes and event 
> coordinates are all relative to the iframe's viewport (e.g. on mouse 
> events).
> 
> My first intuition was that seamless should also just propagate events 
> and have mouse coordinate be relative to the parent browsing context. 
> But I can think of cases where you would want to control the two 
> separately. For example, if you are especially concerned about 
> performance and don't want events in the parent browsing context to be 
> handled by the iframe's contents.

This is an interesting idea, but I think we should wait until we have more 
experience with sandbox="" and seamless="" before adding this feature. I 
am wary of adding too much at once.

(We could add it later by having seamless="allow-events" or some such.)

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'