[whatwg] Iframe dimensions

Markus Ernst derernst at gmx.ch
Tue Jul 6 01:40:50 PDT 2010

Am 05.07.2010 22:50 schrieb Aryeh Gregor:
> On Mon, Jul 5, 2010 at 1:13 PM, Markus Ernst <derernst at gmx.ch> wrote:
>> Some content from an external specialized content provider is included in
>> an existing web site via an iframe. This cannot be seamless, as the links
>> in the iframe must point to the original domain of the included document.
>> But in order to avoid double scroll bars, it would be desirable to have the
>> height of the iframe adjusted to it's content.
> This use-case is inherently insecure.  An iframe's height cannot
> depend on the contents of a cross-origin page unless that origin
> explicitly opts in somehow.

Thank you and Boris for your examples. I see the security issues. Anyway 
It would be very helpful in cases like mine, where security and privacy 
are not affected, to get an easy way to do this opt-in without the need 
of complex scripting, and independent from @seamless. Embedding content 
from external providers looks like a quite common case to me, and an 
easy opt-in mechanism would help both the customers and the providers of 
embedded content.

Am 05.07.2010 22:50 schrieb Aryeh Gregor:
> On Mon, Jul 5, 2010 at 1:13 PM, Markus Ernst <derernst at gmx.ch> wrote:
>> - Interpreting the CSS declaration display:block as the author's wish to get
>> the iframe rendered like a block element is nothing but consistent. There
>> has been no reason for authors to apply this declaration so far, but if
>> anyone did, he/she wanted the rendering I suggest. If not (for example if
>> the iframe is floating), he/she also applied dimensions, be it in the HTML
>> or the CSS code.
> The author might or might not originally have wanted the behavior you
> said, but in the end, the site doesn't render that way, and changing
> the rendering like that would make the site look very different from
> the way it looked before (= the final product that the author was
> satisfied with and released).

Am 06.07.2010 02:35 schrieb Boris Zbarsky:
 > Experience shows this to not be the case.  People blindly apply CSS
 > without thinking through the implications as long as the current
 > rendering is "right"; I will bet money there are pages out there that
 > use display:block on iframes just to get linebreaks before/after and
 > will break if the sizing behavior changes.

A BC problem with display:block would only occur if an author applied 
this declaration _without_ applying dimensions, which looks quite weird 
to me. I admit I have no statistics about this, and no means to get 
statistics. But I can hardly imagine that there are many pages like this 
out there, as the default dimensions that browsers apply to iframes are 
quite special. But anyway, I do not insist in this solution, it was just 
an idea that looked consistent to me as an author with little technical 
backgrownd knowledge.

More information about the whatwg mailing list