Remove <iframe seamless>
#331
Comments
annevk
added
removal/deprecation
|
Are the use cases for this simply left unsolved, or is it being done cooperatively with postMessage between the embedder and embedded frame? |
|
I don't think that solves all equally well, but it seems like shadow DOM solves most of them pretty well. |
|
Support was removed from Blink in January 2014, and from the blink-dev discussion I take the sentiment to be more disinterest than disapproval. It would be interesting to hear if there are fundamental problems with the feature, but it would take active implementor interest to save it. |
I notice that in one of Adam Barth’s comments in the thread you cited, he says:
As far as web-developer feedback on the feature, some comments from Ben Vinegar from last year are worth reading; among other things he says:
So I think the gist of it all both from the implementor side and the web-dev side is that |
|
Note also that seamless requires changes to the event model that have never been specified. |
annevk
removed
the
good first issue
|
how should the removal of iframe seamless change for browsing context , as it would take a lot of changes for it's spec. |
|
Yeah, things that look like they can be removed:
Basically everything that builds on top of the seamless feature can go. |
|
okay @annevk , will remove the dependent spec on seamless feature. |
|
This was removed in 1490eba. My mistake for not linking it all together. |
|
Thank you @Ritsyy for making it happen! (And persisting despite my nitpicking. 😊) |
|
@annevk Learned a lot from this bug, thank you so much for all the reviews :) |
|
This is really disappointing as web components do not provide any security, you can't import a web component without it being able to manipulate the page it's in. |
|
Yeah. It would have been cool if someone implemented, IMO, but a number of factors made it not a good tradeoff for implementers given other technologies that serve overlapping use cases (even if none of them serve the exact use case). |
|
Well, here it is, now 2016 as I add this comment, and I am still using a terminal emulator to display my notes. I'd rather use a web browser for display, because, with things like html, latex, mathjax, and chemdoodle, my notes could draw from a rather rich expressive palette. But then, I also prefer a "modular" approach to writing, cutting and pasting together smaller documents, and then also, assembling those smaller sections to form a larger document. And it's nice to have the smaller bits both able to display on their own, and also contribute to that larger document. But, as it is, in 2016, there is still no simple native html markup to allow this sort of thing. https://stackoverflow.com/questions/8988855/include-another-html-file-in-a-html-file Some people had hoped that some combination of "iframe", "seamless", and 'target="_parent"' would address this issue - but no. Instead, whatever the technical issues might be, there seems to be a kind of "stupid white men" paternalism that favors complex script-based source material intended to obfuscate rather than simplify. The implication being that end-users must not be content producers. And browser developers set-out to enforce this dictum. It's political, not technical. Is that too harsh? Where is the simple html construct that assembles a single larger web page from a group of smaller pages, and adopts the styles from its hosting page, without resorting to a lot of javascript? |
|
BTW, "seamless" was back in again in the HTML 5.1 draft in 2016 Mar 10: but out again in the HTML 5.1 draft in 2016 Jun 02: Iframe "seamless" has not returned in the HTML 5.1 draft, 2016 Jun 21: or in the HTML 5.2 draft, 2016 Aug 18: If you are concerned, file an Issue: |
|
Hello @thx1111 and welcome to WHATWG. Please read the following: https://wiki.whatwg.org/wiki/FAQ#Is_there_a_process_for_removing_bad_ideas_from_a_specification.3F (3rd bullet point in this case) Also please read: https://wiki.whatwg.org/wiki/Code_of_Conduct - try to be respectful, ranting and blaming is not very helpful. Thanks! |
|
It seems like the issue is that "seamless" inherited styles, which seemed foolish to begin with. I think "seamless" would be fine if it simply "autofit" it's content, such that embedding an iframe could effect the document flow of the document its embedded in. It's too bad this wasn't just added back in with just auto-resizing. |
|
Note that auto-fitting the height turned out be a serious timing attack vector unless we restricted with CORS. |
|
@rniwa Oh? How did that make a site vulnerable? |
|
@matthew-dean : You can detect what kind of content was shown inside the frame based on how long it look to layout / style / paint. |
|
I'd still find it useful if a CORS check allowed me to combine Having variable-length resources in a scrollable iframe really isn't the best user experience most of the time but, at the very least, I'd really like to be able to keep all remotely loaded content from running in the same origin as my pages. |
|
@rniwa I don't see how that would be possible; there are too many variables on load time, and detailed eventing would be presumably sandboxed. There are how many billions or trillions of web pages? How could you reliably profile page loads for pages that may change, and over connections that vary in latency throughout the day/week? |
|
Well, timing attack is typically done on a very specific website, which the attacker knows. A typical timing attack is robust against websites changing its content. You can read various research paper on this matter. e.g. https://www.contextis.com/documents/2/Browser_Timing_Attacks.pdf |
|
Hmm, still.... a theoretical successful detection doesn't equate to real-world exploits, as one of the requirements of such an exploit would be injection into the page hosting the iframe, or a user unwittingly installing a malicious script into their webpage. Even the calculate style vulnerability of the past relied on malicious scripts being allowed access in the first place. Instead of limiting the utility of useful features of the web, maybe we should focus on the root cause, which is un-sandboxed third-party scripts having full access to the host environment instead of a limited or white-listed API. It just seems unfortunate if a very useful feature of the web becomes a casualty of poor design elsewhere. |
+1 |
This seems like a good candidate for direct removal since per http://caniuse.com/#search=seamless nobody is doing this.
The text was updated successfully, but these errors were encountered: