search

WICG / portals

A proposal for enabling seamless navigations between sites or pages
https://wicg.github.io/portals/
Other
946 stars 66 forks source link

Can sites opt-out of being embedded? #17

Closed ithinkihaveacat closed 6 years ago

ithinkihaveacat commented 6 years ago

The X-Frame-Options header is used to indicate whether the content can be embedded in another via an <iframe>, and is supported by all browsers.

This mechanism seems to have been invented in part to eliminate clickjacking, but another reason was to give content creators a way to prevent their content from being (as they saw it) repurposed and transformed by other sites. (So that site A could prevent its content from being embedded within another site and surrounded with ads or commenting systems incompatible with A's brand, etc.)

Will the portals system respect the X-Frame-Options headers? Will there be a similar "escape" mechanism for portals, so that sites can indicate they do not ever want to be embedded within another, and ensure that the only UI available to users will be the site's own, and that of the browser?

lucasgadani commented 6 years ago

Yes, I think portals should respect X-Frame-Options as well as the iframe's CSP restrictions, since some of the similar concerns that exists with iframes can exist with portals.

It's still not totally clear to me whether we should have a specific way to restrict/allow a site from being loaded in a portal, I think it might be useful, but I don't have any use cases in mind that could benefit from being embedded in a portal, but not in an iframe.

ithinkihaveacat commented 6 years ago

If X-Frame-Options is respected then a lot of content on the web will not be accessible via portals--most big publisher content (just tried nytimes.com, theguardian.com, reddit.com, photos.google.com) is served with X-Frame-Options set to either DENY or SAMEORIGIN and having it turned on is considered a security best practice.

lucasgadani commented 6 years ago

Our expected use cases for portals are mainly places where iframes are used today. It's not clear to me whether there are enough incentives to host portals in other situations.

That said, we also don't want to create an incentive for publishers to serve content without XFO, as you mentioned it is considered a security best practice. One of the things we considered is to have an opt-in for portals, so that a site would be able to opt-in to be embedded as a portal, even though it opted-out from being embedded as an iframe. Would that address your concerns? Any other thoughts?

ithinkihaveacat commented 6 years ago

Yep, I think requiring an opt-in to portals would address my concerns. Will close this issue!