[whatwg] <iframe srcdoc> definition not compatible with existing user-agent user interfaces

Tab Atkins Jr. jackalmage at gmail.com
Thu Apr 4 22:15:16 PDT 2013


On Thu, Apr 4, 2013 at 2:12 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> The way <iframe srcdoc> is defined, the document URI does not in any way
> encode the document contents.
>
> Unfortunately, that breaks user-agent and extension features like "open
> frame in new window", "show only this frame", "open frame in new tab", etc.
>
> I just tried this in the two UAs I have that implement such features, and
> Chrome simply doesn't have such options in its default UI, while in Safari
> those context menu options are in fact just completely broken.
>
> This seems fairly undesirable.  Is there a reason we don't want a URI which
> _will_ encode the source in some way so as to avoid breaking basic UI like
> this?

Are you asking to switch back to data urls instead of srcdoc, or are
you asking for a way to generate an equivalent data url from the
contents?

The former was addressed during the design of srcdoc - the escaping
requirements of data urls are non-trivial, and given that this is
supposed to be an easy security measure, any difficulty in escaping
means people will fail and get security escapes.

If it's the latter, I think that makes sense.

~TJ



More information about the whatwg mailing list