[whatwg] Making cross-origin <iframe seamless=""> (partly) usable

Mikko Rantalainen mikko.rantalainen at peda.net
Sun Dec 2 23:56:41 PST 2012


Ian Hickson, 2012-12-01 04:57 (Europe/Helsinki):
> ...and Adam Barth posted some on the wiki:
>> Expandable Advertisement: A publisher wishes to display an advertisement 
>> that expands when the user interacts with the advertisement. Today, the 
>> common practice is for the advertising network to run script in the 
>> publisher's page that receives postMessage instructions to resize the 
>> advertisement's iframe, but this requires that the publisher allow the 
>> advertisement to run script in its page, potentially compromising the 
>> publisher's security.
> 
> It seems to me like the best solution is to have a new HTTP header, with 
> the four following values being allowed:
> 
>    Seamless-Options: allow-shrink-wrap
>    Seamless-Options: allow-styling
>    Seamless-Options: allow-shrink-wrap allow-styling
>    Seamless-Options: allow-styling allow-shrink-wrap

Not that I fancy for expendable advertisement, but I fail to see how
that is supposed to work with those headers. Basically I think that in
such case, the host document should be able to specify something like
following:

(1) I want to embed a seamless untrusted iframe here, and
(2) iframe should have maximum size of e.g. 480x240 pixels (or any size
set via CSS max-width/max-height). However, if user interacts (I guess
moving focus inside the iframe is enough) with the iframe, then
max-width and max-height are set to "expanded state" (whatever that means).

Is it possible for host document to detect that the focus is within the
iframe from cross-origin location? If yes, then all we need is
cross-origin seamless iframe and a host document script that increases
the max-width and max-height limitations for the seamless iframe.

Does there need to be any support for expendable seamless iframe without
scripting?

-- 
Mikko



More information about the whatwg mailing list