[whatwg] <iframe srcdoc> definition not compatible with existing user-agent user interfaces
Tab Atkins Jr.
jackalmage at gmail.com
Thu Apr 4 22:15:16 PDT 2013
On Thu, Apr 4, 2013 at 2:12 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> The way <iframe srcdoc> is defined, the document URI does not in any way
> encode the document contents.
>
> Unfortunately, that breaks user-agent and extension features like "open
> frame in new window", "show only this frame", "open frame in new tab", etc.
>
> I just tried this in the two UAs I have that implement such features, and
> Chrome simply doesn't have such options in its default UI, while in Safari
> those context menu options are in fact just completely broken.
>
> This seems fairly undesirable. Is there a reason we don't want a URI which
> _will_ encode the source in some way so as to avoid breaking basic UI like
> this?
Are you asking to switch back to data urls instead of srcdoc, or are
you asking for a way to generate an equivalent data url from the
contents?
The former was addressed during the design of srcdoc - the escaping
requirements of data urls are non-trivial, and given that this is
supposed to be an easy security measure, any difficulty in escaping
means people will fail and get security escapes.
If it's the latter, I think that makes sense.
~TJ
More information about the whatwg
mailing list