[whatwg] Iframe dimensions
derernst at gmx.ch
Mon Jul 5 12:37:15 PDT 2010
Am 05.07.2010 19:24 schrieb Adam Barth:
> On Mon, Jul 5, 2010 at 10:13 AM, Markus Ernst <derernst at gmx.ch> wrote:
>> First, this sounds somehow complicated to me, and second, I don't understand
>> why the dimensions of non-seamless iframes should not get the benefits of
>> author-friendly (and user-friendly) dimension handling.
> One of the reasons is security: if we automatically sized iframes, an
> attacker could learn things about documents in other origins.
I can't imagine how the information about the computed width and height
can be abused - would you mind giving an example?
A possible workaround to security issues could be an element to be set
in the included document, such as a meta tag that contains a comma
separated list of domains that are allowed to include the document, and
also get informations about dimensions and such. Some kind of:
<meta name="allow-embedding" content="whatwg.org, mozilla.com">
Also, if this is a potential danger, should the 2 list paragraphs about
width and height in the part on @seamless be removed at all? As far as I
understand, the effects of @seamless require the iframe source to be
from the same origin as the parent document, thus I think that width and
height of an iframe should be computed independent from @seamless. Else,
the whole page layout is likely to change if the iframe source is
navigated from a same-origin document to one from another origin.
> Another reason is compatibility: changing how frames layout would likely
> break the layout of a large number of web sites.
I don't think the 2 solutions I proposed would do any BC harm:
- Inventing a new attribute does not affect legacy browsers (as they
will ignore it), nor legacy pages (as they don't have it).
- Interpreting the CSS declaration display:block as the author's wish to
get the iframe rendered like a block element is nothing but consistent.
There has been no reason for authors to apply this declaration so far,
but if anyone did, he/she wanted the rendering I suggest. If not (for
example if the iframe is floating), he/she also applied dimensions, be
it in the HTML or the CSS code.
More information about the whatwg