Re the work on Content Restrictions. We really need a way of embedding (i)frames into pages and preventing them from accessing their parent frame.
Posted by: Ian at March 19, 2007 12:21 PMIan: Same domain iframes, presumably, where you have control of the serving of the content inside the iframe? If so, it has that - see what is currently called the "hierarchy" restriction (in version 0.9.2).
Posted by: Gerv at March 20, 2007 5:58 PMGerv,
Sorry, I meant cross-domain iframes in particular, so that we can embed frames of content from other websites and put them safely in our page without risk of them being able to change the content of our page or redirect our page somewhere else.
Internet explorer has the non-standard security=restricted attribute, but this sucks as it uses the flawed IE concept of zones. I think simply preventing a frame accessing the DOM of the parent would be sufficient - it would be nice if this could be standardised within WHATWG/W3C.
A live web use-case would be Yahoo! images, where they display a frame with information about the website, and show the website in a frame below. They use the IE security=restricted attribute.
Another example is an internal company tool I wrote recently to cycle through a list of blog posts, and mark them as spam or not spam. I wanted to embed the documents in a frame/iframe, but some spammy ones would redirect me away from my tool. In the end I had to use the security=restricted attribute for IE, and for Firefox I make it a link instead. It's a horrible feeling to not only have to use IE for something, but having wrote it too :(
Posted by: Ian at March 21, 2007 9:46 AM[Taken to email]
Posted by: Gerv at March 21, 2007 10:09 AM