Am 27.05.2012 12:19 schrieb Adam Barth:
On Sun, May 27, 2012 at 3:00 AM, Markus Ernst<derer...@gmx.ch> wrote:
Am 27.05.2012 02:16 schrieb Adam Barth:
I've added a proposal to the wiki
<http://wiki.whatwg.org/wiki/AllowSeamless> about letting a document
indicate that it is willing to be displayed seamlessly with a
cross-origin parent. This proposal is a refinement of the approach
previously discussed in this thread:
<http://old.nabble.com/crossorigin-property-on-iframe-td33677754.html>.
Let me know if you have any feedback.
I have a strong feeling that per-origin control should be made easy for
authors. I must admit that I am not familiar with the mechanisms you name,
Frame-Options and ancestor-origins - and both are quite hard to google for.
From what I found I assume both are about HTTP headers.
If they are solutions that can be used easily with server-side languages
such as PHP, I think we can live with it. But anyway it is a complication;
I'd personnally prefer something like
allowseemles="example.org, *.example.org, shop.otherdomain.com"
Or maybe space separated, and separate inherit-style with comma:
allowseemles="example.org *.example.org shop.otherdomain.com, inherit-style"
(Regardless of whether it is in the HTML element or in a META element.)
I had difficulty coming up with use cases that weren't better served
with frame-ancestors and/or Frame-Options. Do you have a specific use
case in mind to explain your feelings?
My use case is a content provider, who provides e.g. a Sudoku
application or a weather forecast for wind surfers. Paying customers are
allowed to embed the content seamlessly in their web sites. The content
can also be embedded for free, but not seamlessly.
The content provider includes some corporate info, such as his/her own
logo, and a "provided by XY" notice and link to his/her own page. The
paying customers then can apply their own styling, and set the corporate
info to "display:none" in the style sheet of the top document, via
seamless embedding.
