[whatwg] crossorigin property on iframe

Anne van Kesteren annevk at opera.com
Thu Apr 12 13:35:38 PDT 2012

On Thu, 12 Apr 2012 22:17:50 +0200, Ojan Vafai <ojan at chromium.org> wrote:
> OK, I'm convinced that direct DOM access is a bad idea. seamless was the
> use-case I most cared about anyways. In theory, if we use seamless + CORS
> for the @src load and any navigations of the frame (including via
> Location), then this should be feasible, yes?
> Alternately, we could add a special http header and/or meta tag for this,
> like x-frame-options, but for the child frame to define it's relationship
> to the parent frame.

The problem with CORS might be that if you want to expose content for  
embedding with seamless that depends on credentials, XMLHttpRequest can  
request that information then too. As a developer trying to make seamless  
work cross-origin you might not anticipate that.

On the other hand, the enormous growing number of one-off flags developers  
can attach to resources for various features is starting to get worrisome.

Anne van Kesteren

More information about the whatwg mailing list