[whatwg] <iframe srcdoc> definition not compatible with existing user-agent user interfaces
Tab Atkins Jr.
jackalmage at gmail.com
Thu Apr 4 22:15:16 PDT 2013
On Thu, Apr 4, 2013 at 2:12 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> The way <iframe srcdoc> is defined, the document URI does not in any way
> encode the document contents.
> Unfortunately, that breaks user-agent and extension features like "open
> frame in new window", "show only this frame", "open frame in new tab", etc.
> I just tried this in the two UAs I have that implement such features, and
> Chrome simply doesn't have such options in its default UI, while in Safari
> those context menu options are in fact just completely broken.
> This seems fairly undesirable. Is there a reason we don't want a URI which
> _will_ encode the source in some way so as to avoid breaking basic UI like
Are you asking to switch back to data urls instead of srcdoc, or are
you asking for a way to generate an equivalent data url from the
The former was addressed during the design of srcdoc - the escaping
requirements of data urls are non-trivial, and given that this is
supposed to be an easy security measure, any difficulty in escaping
means people will fail and get security escapes.
If it's the latter, I think that makes sense.
More information about the whatwg