[whatwg] Cross-origin opt-in for seamless iframes [was: Iframe dimensions]

Markus Ernst derernst at gmx.ch
Wed Jul 7 07:36:30 PDT 2010

Am 06.07.2010 12:31 schrieb Aryeh Gregor:
> On Tue, Jul 6, 2010 at 4:40 AM, Markus Ernst <derernst at gmx.ch> wrote:
>> Thank you and Boris for your examples. I see the security issues. Anyway It
>> would be very helpful in cases like mine, where security and privacy are not
>> affected, to get an easy way to do this opt-in without the need of complex
>> scripting, and independent from @seamless. Embedding content from external
>> providers looks like a quite common case to me, and an easy opt-in mechanism
>> would help both the customers and the providers of embedded content.
> So what you're saying is that you really do just want seamless="" with
> easy cross-origin opt-in, right?  That sounds entirely logical, and
> I'm not sure why it's not specced already (or at least I don't see
> it).  Could this be easily added to CORS?  CORS isn't so easy to set
> up, of course, but I'm not sure it's practical to do better.  An HTML
> tag would work, for HTML pages (the common case for iframes), but then
> the UA wouldn't know whether it's allowed to be seamless until it
> started parsing the response, which might have complications.

You are right, the iframe source could be an image, text, or pdf file or 
whatever, without meta or script elements. But an in-page HTML solution 
would of course make opting-in very easy for authors.

I tried to read about CORS, but did not understand the whole of it. Can 
CORS be set up via server-side scripting, with PHP or whatever? Then it 
will be an acceptable solution, and sooner or later libraries will be 
available for both the server and the client side.

If CORS must be set up by the server administrator, it will be a problem 
in shared hosting environments.

Anyway, for something that looks as easy as allowing an iframe to 
seamlessly integrate a document, the overhead of server-side setup and 
client-side scripting looks huge to me, and it also has the downside of 
being dependent on Javascript.

More information about the whatwg mailing list