[whatwg] Iframe dimensions
Markus Ernst
derernst at gmx.ch
Tue Jul 6 01:40:50 PDT 2010
Am 05.07.2010 22:50 schrieb Aryeh Gregor:
> On Mon, Jul 5, 2010 at 1:13 PM, Markus Ernst <derernst at gmx.ch> wrote:
>> Some content from an external specialized content provider is included in
>> an existing web site via an iframe. This cannot be seamless, as the links
>> in the iframe must point to the original domain of the included document.
>> But in order to avoid double scroll bars, it would be desirable to have the
>> height of the iframe adjusted to it's content.
>
> This use-case is inherently insecure. An iframe's height cannot
> depend on the contents of a cross-origin page unless that origin
> explicitly opts in somehow.
Thank you and Boris for your examples. I see the security issues. Anyway
It would be very helpful in cases like mine, where security and privacy
are not affected, to get an easy way to do this opt-in without the need
of complex scripting, and independent from @seamless. Embedding content
from external providers looks like a quite common case to me, and an
easy opt-in mechanism would help both the customers and the providers of
embedded content.
Am 05.07.2010 22:50 schrieb Aryeh Gregor:
> On Mon, Jul 5, 2010 at 1:13 PM, Markus Ernst <derernst at gmx.ch> wrote:
>> - Interpreting the CSS declaration display:block as the author's wish to get
>> the iframe rendered like a block element is nothing but consistent. There
>> has been no reason for authors to apply this declaration so far, but if
>> anyone did, he/she wanted the rendering I suggest. If not (for example if
>> the iframe is floating), he/she also applied dimensions, be it in the HTML
>> or the CSS code.
>
> The author might or might not originally have wanted the behavior you
> said, but in the end, the site doesn't render that way, and changing
> the rendering like that would make the site look very different from
> the way it looked before (= the final product that the author was
> satisfied with and released).
Am 06.07.2010 02:35 schrieb Boris Zbarsky:
> Experience shows this to not be the case. People blindly apply CSS
> without thinking through the implications as long as the current
> rendering is "right"; I will bet money there are pages out there that
> use display:block on iframes just to get linebreaks before/after and
> will break if the sizing behavior changes.
A BC problem with display:block would only occur if an author applied
this declaration _without_ applying dimensions, which looks quite weird
to me. I admit I have no statistics about this, and no means to get
statistics. But I can hardly imagine that there are many pages like this
out there, as the default dimensions that browsers apply to iframes are
quite special. But anyway, I do not insist in this solution, it was just
an idea that looked consistent to me as an author with little technical
backgrownd knowledge.
More information about the whatwg
mailing list