[css-sizing] Auto-resize iframes based on content

In https://lists.w3.org/Archives/Public/www-style/2017Aug/0045.html, Craig Francis said:

Just re-raising the suggestion of allowing an iframe or textarea to increase its height based on its content.

Mats Palmgren suggested that I raise this issue again, as Firefox is unlikely to implement it unless the CSSWG agrees to spec it.

For iframes, this feature would allow easy and secure (isolated) embedding of third party content without issues relating to scroll bars (i.e. needing custom JavaScript to ask the parent page, via postMessage, to change the iframe height).

For textrareas, this is just a convenience feature, as trying to get JavaScript to do this is tricky (e.g. the browser can automatically add/remove scroll bars, which can throw off the calculations).

When we discussed this last time (after the @seamless attribute on the was removed from the WHATWG spec), it was suggested that we used:</p> <pre><code>iframe, textrarea { height: max-content; }</code></pre> <p>In the case of the iframe, the child page would need to send a HTTP header (e.g. Expose-Height-Cross-Origin: 1), so it does not leak information about that website (e.g. if the user is logged in).</p> <p>PS: This has been discussed in a number of times before, the earliest one I've found is 16 years old:</p> <p><a rel="noreferrer nofollow" target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=80713">https://bugzilla.mozilla.org/show_bug.cgi?id=80713</a></p> <p>And I've written up some notes about this feature, which includes the suggestion of using it for element height animation (e.g. disclosure widgets):</p> <p><a rel="noreferrer nofollow" target="_blank" href="https://github.com/craigfrancis/iframe-height">https://github.com/craigfrancis/iframe-height</a></p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/tomhodgins"><img src="https://avatars.githubusercontent.com/u/955601?v=4" />tomhodgins</a> commented <strong> 7 years ago</strong> </div> <div class="markdown-body"> <p>I don't understand why “expand to fit <code>scrollHeight</code>” hasn't been the <em>default</em> behaviour for <code><textarea></code> all along. In a lot of my demos where I want to add this sort of functionality I achieve this effect by somehow running the following 2 lines of JavaScript from the context of an element:</p> <pre><code class="language-javascript">element.style.height = 'inherit' element.style.height = element.scrollHeight + 'px'</code></pre> <p>I've written a little JavaScript function that can help me apply an auto-height or auto-width to elements that match CSS selectors here that uses this same logic: <a href="https://github.com/tomhodgins/reprocss/blob/master/mixins/auto-expand.js">https://github.com/tomhodgins/reprocss/blob/master/mixins/auto-expand.js</a></p> <p>Mixin Demo: <a href="https://tomhodgins.github.io/reprocss/test/auto-expand-mixin.html">https://tomhodgins.github.io/reprocss/test/auto-expand-mixin.html</a></p> <p>Another Auto-Height demo: <a href="https://codepen.io/tomhodgins/pen/KgazaE">https://codepen.io/tomhodgins/pen/KgazaE</a></p> <p>Another Auto-Width demo: <a href="https://codepen.io/tomhodgins/pen/ZpLxjy">https://codepen.io/tomhodgins/pen/ZpLxjy</a></p> <p>As for auto-height <code><iframe></code>, I believe I've seen this happen on iOS before, but I'm not sure I could dig up the CSS. I'll see if I can recreate it :D</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/craigfrancis"><img src="https://avatars.githubusercontent.com/u/1296695?v=4" />craigfrancis</a> commented <strong> 7 years ago</strong> </div> <div class="markdown-body"> <p>With iOS, this is their default behaviour for iframes... they call it <a href="https://lists.w3.org/Archives/Public/www-style/2016Feb/0187.html">frame flattening</a>.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/eeeps"><img src="https://avatars.githubusercontent.com/u/3441390?v=4" />eeeps</a> commented <strong> 7 years ago</strong> </div> <div class="markdown-body"> <p>What happens when</p> <pre><code class="language-html"><style> p { font-size: 100px; } @media (min-height: 50px) { p { font-size: 1px; } } </style> <p>hi</p></code></pre> <p>gets iframed into</p> <pre><code class="language-html"><style>iframe { height: max-content; }</style> <iframe src="is-this-a-circular-dependency.html"></iframe></code></pre> <p>?</p> <p><strong>UPDATE:</strong> I see this has already been <a href="https://lists.w3.org/Archives/Public/www-style/2016Feb/0065.html">asked</a> and that there are already some proposed [answers]().</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/craigfrancis"><img src="https://avatars.githubusercontent.com/u/1296695?v=4" />craigfrancis</a> commented <strong> 7 years ago</strong> </div> <div class="markdown-body"> <p>As a website developer, I'd be happy for the iframe to simply increase in size (so the scroll bars weren't required), and to not bother scaling back again.</p> <p>Which works quite well with the name <code>max-content</code>.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/liamquin"><img src="https://avatars.githubusercontent.com/u/8258535?v=4" />liamquin</a> commented <strong> 7 years ago</strong> </div> <div class="markdown-body"> <p>This could be a win for accessibility (and monetization/conversion) for inserted adverts, where e.g. the user has specified a larger minimum text size than the default, but at the expense of page reflows as each ad slot gets populated.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/css-meeting-bot"><img src="https://avatars.githubusercontent.com/u/27466577?v=4" />css-meeting-bot</a> commented <strong> 7 years ago</strong> </div> <div class="markdown-body"> <p>The Working Group just discussed <code>Auto resizing of iframes and textarea based on content size</code>, and agreed to the following resolutions:</p> <ul> <li><code>RESOLVED: Add textarea sizing to Sizing L4</code></li> </ul> <details><summary>The full IRC log of that discussion</summary> <gregwhitworth> Topic: Auto resizing of iframes and textarea based on content size<br> <astearns> github: https://github.com/w3c/csswg-drafts/issues/1771<br> <gregwhitworth> TabAtkins: there have been many requests for textarea and iframes resize on content<br> <gregwhitworth> TabAtkins: we talked it over and thought, yeah probably ok<br> <gregwhitworth> TabAtkins: we started experimenting with this<br> <gregwhitworth> TabAtkins: figure our some mechanism content based sizing for textarea and iframes<br> <gregwhitworth> TabAtkins: we learned some issues impl seamless with iframes due to COR leaking information<br> <gregwhitworth> TabAtkins: we suspect we'd walk up the frame tree until we hit a fixed size to resolve the mqs<br> <gregwhitworth> TabAtkins: Someone from Moz impl this<br> <gregwhitworth> dbaron: we got the spec to say that's how media queries work, but seamless was removed<br> <gregwhitworth> dbaron: we have code for it - but it's not necessarily something you can write up in a spec<br> <gregwhitworth> dbaron: you need to figure out how to spec it<br> <gregwhitworth> iank_: what type of interesting things<br> <gregwhitworth> dbaron: I'd need to look, like it tries to do layout<br> <fantasai> s/do layout/do layout, and then tries again/<br> <gregwhitworth> rossen: we used to have a technology that would allow you to do layout based on then content size and we killed it<br> <smfr> q+<br> <gregwhitworth> Rossen: performance becomes a concern for those<br> <tantek> The iframe use-case for me is known width (set by container), auto (preferably auto-expanding) height<br> <gregwhitworth> Rossen: when you consider extensions they try to size the box, and it's shrink to fit it becomes very bad for perf<br> <gregwhitworth> Rossen: Our experimentation for this suggests it was bad, but maybe you'll find something<br> <gregwhitworth> TabAtkins: they're both pretty separate features anyways<br> <Rossen> q?<br> <gregwhitworth> TabAtkins: are we ok experimenting in this space<br> <gregwhitworth> TabAtkins: the textarea would go into sizing 4<br> <gregwhitworth> smfr: we've had the auto sizing of the iframe even COR<br> <gregwhitworth> smfr: it makes your frame layout outside in rather than inside out<br> <gregwhitworth> smfr: we've had quite a few media query bugs<br> <gregwhitworth> smfr: we ran into media query cycles<br> <gregwhitworth> TabAtkins: that means that you weren't doing media queries the way we defined<br> <smfr> q-<br> <gregwhitworth> smfr: it does bring about nasty things in the code<br> <gregwhitworth> TabAtkins: how is this different from regular layout<br> <gregwhitworth> smfr: you can avoid laying out the iframe, if you have to you have to dirty the other nodes<br> <gregwhitworth> TabAtkins: ok, let's talk about this later<br> <gregwhitworth> dbaron: I think the media query problems you had were due to doing what authors weren't expecting<br> <gregwhitworth> TabAtkins: this would be opt in<br> <gregwhitworth> tantek: how do you trigger behavior in iOS<br> <gregwhitworth> smfr: you always get it<br> <gregwhitworth> smfr: users don't experience nested scrollers, we always wanted page scrolling to win so you don't get trapped<br> <gregwhitworth> tantek: width is expected and height is auto<br> <gregwhitworth> smfr: yes<br> <gregwhitworth> Rossen: ok, so - it seems that Google wants to experiment with this - Apple has it and wants to remove it<br> <gregwhitworth> Rossen: do you want a resolution<br> <gregwhitworth> TabAtkins: The textarea one is simple enough to go into sizing 4<br> <gregwhitworth> TabAtkins: the iframe one can go in WICG<br> <gregwhitworth> Rossen: any objections to adding textareas to CSS Sizing L3<br> <gregwhitworth> fantasai: yes<br> <gregwhitworth> TabAtkins: I said 4<br> <gregwhitworth> Rossen: Ok, L4<br> <gregwhitworth> fantasai: ok - I'm ok with that<br> <gregwhitworth> Rossen: Changes to sizing L4<br> <fantasai> fantasai: we can add a note for L3<br> <gregwhitworth> Resolved: Add textarea sizing to Sizing L4<br> <fantasai> RESOLVED: Add textarea sizing to Sizing L4<br> <gregwhitworth> *discuss whether to do in WICG*<br> <gregwhitworth> TabAtkins to spin up a WICG regarding auto sizing of iframes<br> <tantek> I'm a bit surprised that we're not even putting into a WD something that's been shipping in iOS for 10 years<br> </details> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/tantek"><img src="https://avatars.githubusercontent.com/u/46418?v=4" />tantek</a> commented <strong> 7 years ago</strong> </div> <div class="markdown-body"> <p>The auto-resizing (specifically height) of iframes is a highly desirable feature for authors.</p> <p>I have been using this feature for quite some time on my event posts, e.g.:</p> <p><a href="http://tantek.com/2017/305/e1/homebrew-website-club">http://tantek.com/2017/305/e1/homebrew-website-club</a></p> <p>I use an iframe to embed an unknown number of RSVPs generated by an external service, and it is quite handy (e.g. on iOS Safari) for that iframe of RSVPs to auto-grow (in height) as more RSVPs come in.</p> <p>I'd very much like to see iframe auto-sizing added to Sizing L4 as well.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/fantasai"><img src="https://avatars.githubusercontent.com/u/725717?v=4" />fantasai</a> commented <strong> 7 years ago</strong> </div> <div class="markdown-body"> <p>@tantek I'm in favor, but that requires addressing the security concerns at the very least; textarea doesn't have that consideration. If we work it out in the same timeframe as the rest of the features and get implementer backing, I'd be happy to have it in L4.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/Nadya678"><img src="https://avatars.githubusercontent.com/u/31185239?v=4" />Nadya678</a> commented <strong> 6 years ago</strong> </div> <div class="markdown-body"> <p>I vote for max-content for <code><textarea/></code> and other elements but against for not sameorigin <code><iframe/></code> and <code><object/></code>. If <code><iframe/></code> is not sameorigin, the value should be resolved to auto. </p> <p>Reason: the autosizing of textarea should be implemented, and also horizontal equivalent for width for <code><input/></code> but without security problems. </p> <p>BTW. <code><iframe/></code> is old technology and this attribute doesn't have to be implemented on it. </p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/fantasai"><img src="https://avatars.githubusercontent.com/u/725717?v=4" />fantasai</a> commented <strong> 6 years ago</strong> </div> <div class="markdown-body"> <p>Moving <code>textarea</code> and <code>input</code> discussion to <a href="https://github.com/w3c/csswg-drafts/issues/2141">https://github.com/w3c/csswg-drafts/issues/2141</a> ; this one will remain open for <code>iframe</code>, since its security implications are more complex.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/fantasai"><img src="https://avatars.githubusercontent.com/u/725717?v=4" />fantasai</a> commented <strong> 6 years ago</strong> </div> <div class="markdown-body"> <p>Note: The CSSWG resolved to accept this for <code>textarea</code> and text <code>input</code> fields in #2141.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/Malvoz"><img src="https://avatars.githubusercontent.com/u/26493779?v=4" />Malvoz</a> commented <strong> 6 years ago</strong> </div> <div class="markdown-body"> <blockquote> <p>In the case of the iframe, the child page would need to send a HTTP header (e.g. <code>Expose-Height-Cross-Origin: 1</code>), so it does not leak information about that website</p> </blockquote> <p>From <a href="https://github.com/whatwg/html/issues/555">https://github.com/whatwg/html/issues/555</a>:</p> <blockquote> <blockquote> <p>For cross-origin I suppose the embeddee would need to opt-in somehow (e.g. meta tag), to not expose new information cross-origin.</p> </blockquote> <p>Now that we have <a href="https://github.com/WICG/feature-policy">Feature Policy</a>, I think that's the way to go about that. Similarly, there is a proposal to <a href="https://github.com/WICG/feature-policy/issues/132">expose <code>bounds</code></a> cross-origin.</p> </blockquote> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/matthew-dean"><img src="https://avatars.githubusercontent.com/u/414752?v=4" />matthew-dean</a> commented <strong> 5 years ago</strong> </div> <div class="markdown-body"> <p>Since an <code><iframe></code> src can be set to an SVG, would max-content work for SVGs as well? </p> <p>This is actually great that something might actually happen, because it means we could finally:</p> <ol> <li>Have HTML partials!</li> <li>Emulate container queries!</li> </ol> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/prlbr"><img src="https://avatars.githubusercontent.com/u/11777434?v=4" />prlbr</a> commented <strong> 5 years ago</strong> </div> <div class="markdown-body"> <p>Could it be implemented for same-origin iframes please even if not all security concerns are sorted out for the foreign-origin scenario yet?</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/annevk"><img src="https://avatars.githubusercontent.com/u/1544111?v=4" />annevk</a> commented <strong> 5 years ago</strong> </div> <div class="markdown-body"> <p>What I'd be interested in seeing here is a more formal description as "contents" isn't really cutting it I think. It's effectively about resizing the viewport to some dimension and that definition will need to account for negative margins and other fun tricks.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/craigfrancis"><img src="https://avatars.githubusercontent.com/u/1296695?v=4" />craigfrancis</a> commented <strong> 5 years ago</strong> </div> <div class="markdown-body"> <p>When an <code><iframe></code> is created at the moment, it will typically create a scrollbar (the thing I want to avoid). I assume the browser knows how big the "content" is to make that scroll bar; so can we use that to set the height?</p> <p>I'm fairly sure we can treat the width as fixed, as we do with the main browser window - where it will wrap the contents, or use a horizontal scroll bar when that's not possible (I think most developers will understand if they try to show something that's too wide).</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/annevk"><img src="https://avatars.githubusercontent.com/u/1544111?v=4" />annevk</a> commented <strong> 5 years ago</strong> </div> <div class="markdown-body"> <p>Yeah, I'm not really sure where all that machinery is defined and what defines that overflow to the left on ltr pages is ignored, etc. There is probably something there that can be used, but then there's also the complication of defining this in a way that works for mobile, where there's multiple viewports and such.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/prlbr"><img src="https://avatars.githubusercontent.com/u/11777434?v=4" />prlbr</a> commented <strong> 5 years ago</strong> </div> <div class="markdown-body"> <p>Just a note on why this would be useful, even if only for same-origin iframes in the beginning: With Edge soon using chromium, all major browsers will support <code><iframe srcdoc></code>, and <code>srcdoc</code>s are always same-origin.</p> <p>Encapsulating comments in a blog is a use case for <code><iframe srcdoc></code> which is also given as the <a href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-srcdoc">example in the HTML standard</a>. Comments are almost always displayed in full height in blogs, so having the <code><iframe></code> as high as its content is almost always the desired behaviour.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/annevk"><img src="https://avatars.githubusercontent.com/u/1544111?v=4" />annevk</a> commented <strong> 5 years ago</strong> </div> <div class="markdown-body"> <p>@emilio the proposal for recursion appears to be to do an initial pass and then let the scrollbars appear as needed: <a href="https://github.com/craigfrancis/iframe-height/blob/master/problems/infinite-loops.md">https://github.com/craigfrancis/iframe-height/blob/master/problems/infinite-loops.md</a>.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/emilio"><img src="https://avatars.githubusercontent.com/u/1323194?v=4" />emilio</a> commented <strong> 5 years ago</strong> </div> <div class="markdown-body"> <p>So if you do layout during page load, then you get an empty iframe? What Roc implemented in Gecko was that media queries were resolved against the parent document.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/craigfrancis"><img src="https://avatars.githubusercontent.com/u/1296695?v=4" />craigfrancis</a> commented <strong> 5 years ago</strong> </div> <div class="markdown-body"> <p>@emilio, I'll be very happy if you can improve on this... my suggestion it just there to make the most basic implementation that should work for both browser and website developers (I have since updated that page to note a suggestion where the child page could call a JavaScript method to request the height be updated, but that's just to round off the idea).</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/indolering"><img src="https://avatars.githubusercontent.com/u/44454?v=4" />indolering</a> commented <strong> 5 years ago</strong> </div> <div class="markdown-body"> <p>Maybe my tone was harsh (sorry) but I am confused about the downvotes with regard to my comment on side channels.</p> <blockquote> <p>Could it be implemented for same-origin iframes please even if not all security concerns are sorted out for the foreign-origin scenario yet?</p> </blockquote> <p>I think relaxing the header policy for same origin and subdomains would be reasonable.</p> <p>At the very least, allow this to be set using <code><meta></code> tags.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/annevk"><img src="https://avatars.githubusercontent.com/u/1544111?v=4" />annevk</a> commented <strong> 5 years ago</strong> </div> <div class="markdown-body"> <p>Side-channels are indeed real and problematic and therefore we should strive not to introduce more of them. The primary security boundary of the web is origins and therefore subdomains are not that reasonable as you might think.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/indolering"><img src="https://avatars.githubusercontent.com/u/44454?v=4" />indolering</a> commented <strong> 5 years ago</strong> </div> <div class="markdown-body"> <blockquote> <p>Side-channels are indeed real and problematic and therefore we should strive not to introduce more of them.</p> </blockquote> <p>I'm sorry, I understand wanting to err on the safe side. A lot of "technically less secure" arguments make implementation and uptake harder without materially impacting security. I was also just interested in what serious attack would be 😸.</p> <p>Ergonomics is my main concern, which can be addressed by making this feature controllable via HTTP headers and <code><meta></code> tags. Would a global JS variable be reasonable?</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/felixfbecker"><img src="https://avatars.githubusercontent.com/u/10532611?v=4" />felixfbecker</a> commented <strong> 3 years ago</strong> </div> <div class="markdown-body"> <p>I am a bit confused why the security concern is a blocker for <code><iframe></code>, when <code><object></code> already does this (at least when embedding an SVG, even cross-origin). <code><iframe></code>s are a lot more secure because they have attributes like <code>sandbox</code> and <code>csp</code>, which <code><object></code> does not. So currently we are forced to use <code><object></code> to embed SVGs in a responsive, accessible, interactive way (<code><img></code> doesn't expose contents to screen readers, make links clickable or text selectable) with no way to disallow scripts in SVG to run. Having iframe resizing would therefor be an <em>improvement</em> to security in my eyes because it stops forcing us to use less secure alternatives.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/tabatkins"><img src="https://avatars.githubusercontent.com/u/682840?v=4" />tabatkins</a> commented <strong> 3 years ago</strong> </div> <div class="markdown-body"> <p>Been discussing this with @chrishtr as an idea to revive.</p> <p>The killer problem with iframe resizing is that the intrinsic size of a third-party page can be an important/dangerous information channel on its own, so allowing sites to get this effect on arbitrary third-party sites is out of the question. A less obvious issue is the reverse; if an iframe can <em>unexpectedly</em> control its own size, it can be used to attack the framing page.</p> <p>The trick, then, is making sure that this is opt-in on both sides.</p> <ol> <li>In the iframe, leverage the existing <code>window.resizeTo()</code> function, which currently is a no-op in an iframe, to instead fire a "resize" event on the iframe in the containing document (bubbling, cancelable) when resizing is allowed.</li> <li>In the containing page, explicitly allow resizing with a new value for the <code>allow</code> attribute, <code>allow=resize</code>. If this is not set, the "resize" event will never show up.</li> <li>The containing page can <code>preventDefault()</code> the event, in which case nothing happens.</li> <li>Otherwise, the requested size sets a new "from-element intrinsic size" (name TBD) that can be referenced by a new <code>from-element</code> keyword on <code>contain-intrinsic-size</code>. Like the existing <code>c-i-s: auto</code>, you can accompany this with a default size which'll be used before it's set, like <code>contain-intrinsic-size: from-element 400px 500px;</code>.</li> </ol> <p>In total, then, the containing page doesn't need to run any script at all if they trust the framed page; they can just write <code><iframe allow=resize style="contain-intrinsic-size: from-element 500px 500px"></code> and be done. The iframe will start out with a 500x500 intrinsic size (rather than 300x150, the default), and if the iframe'd document calls <code>window.resizeTo()</code>, the iframe will automatically switch its intrinsic size to that value.</p> <p>However, if the outer page does want to control things (inspecting the value before approving it, batching resizes until later, etc) it's trivial to just listen for the event and <code>preventDefault()</code> when it needs to delay something. The iframe'd page can tell when its been resized by listening for the "resize" event on its own window, as normal.</p> <p>(<code>contain-intrinsic-size</code> is used here because, effectively, iframes are <em>always</em> size-contained (the requirement for <code>c-i-s</code> to apply), and <code>c-i-s</code> lets you hijack the intrinsic size of the element, which is the right place for this size to be inserted into the layout model. It also lets you provide a default, which is useful on its own.)</p> <hr /> <p>The above proposal does require the iframe'd page to run some script, and if it wants its size to be content-based, to do measurement on its own, possibly polling if the size might change over time or due to user interaction. This is because even in a fairly trusted situation, directly exposing content-based sizes can still be dangerous for both sides.</p> <p>However, in a same-origin environment, we can generally loosen these restrictions and assume trustworthiness, so we can do proper content-based resizing and just need to make sure that it's opt-in so we don't get a behavior change on existing pages. So, the proposal for same-origin iframes is:</p> <ol> <li>Continue to use <code>allow=resize</code> and <code>contain-intrinsic-size: from-element</code> to signal that the outer page wants the iframe to be resizable.</li> <li><em>If</em> the iframe is same-origin, it can set a new property (name TBD) on its root element: <code>intrinsic-size: auto | <<length>>{1,2};</code>, with <code>auto</code> meaning the laid-out size of the root element. The <code>c-i-s: from-element</code> value <em>automatically</em> updates to match what this property dictates.</li> </ol> <hr /> <p>So, how does this proposal sound? Agenda+ to intro it at the next call (no need for decision yet).</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/annevk"><img src="https://avatars.githubusercontent.com/u/1544111?v=4" />annevk</a> commented <strong> 3 years ago</strong> </div> <div class="markdown-body"> <p>Is there precedent for this in libraries/frameworks/userland? It seems you could already do this with <code>postMessage()</code> if you wanted to.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/chrishtr"><img src="https://avatars.githubusercontent.com/u/3453258?v=4" />chrishtr</a> commented <strong> 3 years ago</strong> </div> <div class="markdown-body"> <blockquote> <p>Is there precedent for this in libraries/frameworks/userland?</p> </blockquote> <p>There are indeed various libraries that do it. Here are some examples / related links:</p> <p><a href="https://stackoverflow.com/questions/153152/resizing-an-iframe-based-on-content">https://stackoverflow.com/questions/153152/resizing-an-iframe-based-on-content</a> <a href="http://blog.apps.npr.org/pym.js/">http://blog.apps.npr.org/pym.js/</a> <a href="https://github.com/whatwg/html/issues/555">https://github.com/whatwg/html/issues/555</a> (contains more links to libraries implementing the functionality). The Disqus team also asked for it <a href="https://lists.w3.org/Archives/Public/public-whatwg-archive/2014Feb/0015.html">way back when</a>.</p> <p>I think this is a very common situation also in ads, where the creative may change its sizing and request adjustment in the parent page.</p> <p>Those comments are also asking for automatic resizing without script in some cases, based on the intrinsic sizing of the iframe content.</p> <blockquote> <p>It seems you could already do this with <code>postMessage()</code> if you wanted to.</p> </blockquote> <p>Yes you can, and developers do it. The reason I think this should be a built-in API are:</p> <ul> <li>Common use-case: it will help out developers avoid busywork and unnecessary extra script</li> <li>Third-party coordination: it will help third-party iframes use a compatible API with multiple embedding pages without problems</li> <li>UA integration: allows the resize to be controlled by the user agent, based on policies such as the iframe being offscreen or throttled (these integrations could be specified as add-ons)</li> </ul> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/tabatkins"><img src="https://avatars.githubusercontent.com/u/682840?v=4" />tabatkins</a> commented <strong> 3 years ago</strong> </div> <div class="markdown-body"> <p>Yeah, the first solution is basically "standardize and simplify the postMessage() dance".</p> <p>The second solution is trying to solve the original <code><iframe seamless></code> use-cases (safely embed arbitrary content in your webpage, via a locked-down iframe+srcdoc) without the complications of the "apply outer page's style to the iframe'd page" that <code>seamless</code> tried to do; it's slightly more complex than strictly necessary to keep the overall solution consistent with the first one.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/annevk"><img src="https://avatars.githubusercontent.com/u/1544111?v=4" />annevk</a> commented <strong> 3 years ago</strong> </div> <div class="markdown-body"> <p>Looking at this again it struck me there's no success/failure indication for the caller of <code>window.resizeTo()</code>. Not sure if we can return a promise there that resolves with the new/unchanged dimensions, but that would probably be desirable I suspect.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/prlbr"><img src="https://avatars.githubusercontent.com/u/11777434?v=4" />prlbr</a> commented <strong> 3 years ago</strong> </div> <div class="markdown-body"> <p><code><html></code> (and <code><head></code>, <code><title></code>, <code><body></code>) is optional in <code>srcdoc</code> content, which means that it is implied, if I understand correctly. Please make whatever property is necessary as opt-in in same-origin contained frames also implied for <code>srcdoc</code> content. Otherwise <code>srcdoc</code>s would have to be much more verbose than desired for this to work.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/craigfrancis"><img src="https://avatars.githubusercontent.com/u/1296695?v=4" />craigfrancis</a> commented <strong> 3 years ago</strong> </div> <div class="markdown-body"> <p>I like the suggestion, and I'm fine with the iframed page having to use JS. My focus is on making it as safe and easy for the parent page to include 3rd party content (e.g. no 3rd party <code><script></code> getting access to the rest of the page/site, also helping with site-isolation; or the site itself having their own JS to handle a non-standard <code>postMessage()</code>).</p> <p>The bit I'm not completely sure on is sizing. I like how you've thought about providing a default size while the content is loading (like how an <code><img></code> can now use width/height attributes for the <code>aspect-ratio</code>). But I wonder if there's a simpler way (without using JS) for the parent to apply limits to the size of the iframe?</p> <p>Most cases I can think of will only want the height to change (the parent pages design tends to define the width). So maybe the CSS <code>(min-|max-)?(width|height)</code> might be relevant here?</p> <p>For example, <code>width: 100%</code> or <code>width: 30em</code> could be used by the parent page to fix the width?</p> <p>Also, do you consider the use of <code>contain-intrinsic-size: from-element X Y</code> to be required, considering <code>allow=resize</code> is granting permission to change the size? or is it just providing the default size?</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/felixfbecker"><img src="https://avatars.githubusercontent.com/u/10532611?v=4" />felixfbecker</a> commented <strong> 3 years ago</strong> </div> <div class="markdown-body"> <p>Personally I'm <strong>not</strong> fine with JS being required to use JS to resize. Requiring JS for resizing is counter to spreading the use of <code>sandbox</code> and <code>csp</code> attributes when embedding static content, which <em>improve</em> security by disallowing JS.</p> <p>E.g. it should not be required to add JS to an SVG or a static HTML endpoint just so it can embedded in a secure and accessible way (that would make it not well portable as a file). And requiring JS would make it <em>less</em> secure, because I'd love to be able to use <code>sandbox</code> or <code>csp</code> to disallow any JS in the <code>iframe</code>, but that of course is not possible then.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/craigfrancis"><img src="https://avatars.githubusercontent.com/u/1296695?v=4" />craigfrancis</a> commented <strong> 3 years ago</strong> </div> <div class="markdown-body"> <p>@felixfbecker, with @tabatkins suggestion, a same-origin iframe won't require JS (good for your own sandboxed content). 3rd party content (from a different origin), that's going to be trickier to enforce (most 3rd parties will want JS), and should be less of an issue as different origins get their own process/renderer (ref <a href="https://w3c.github.io/webappsec-post-spectre-webdev/">Post-Spectre Web Development</a> and "out-of-process iframes").</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/briansmith"><img src="https://avatars.githubusercontent.com/u/16816?v=4" />briansmith</a> commented <strong> 3 years ago</strong> </div> <div class="markdown-body"> <blockquote> <p>good for your own sandboxed content</p> </blockquote> <p>A lot of times my own sandboxed content will be on a different origin; it is on a different origin specifically to help with the sandboxing. I'm not sure how much need there is for optimizing the same-origin case; it might even be a bad idea, if it encourages people to host their untrusted content in the same origin.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/tabatkins"><img src="https://avatars.githubusercontent.com/u/682840?v=4" />tabatkins</a> commented <strong> 3 years ago</strong> </div> <div class="markdown-body"> <blockquote> <p>Please make whatever property is necessary as opt-in in same-origin contained frames also implied for srcdoc content.</p> </blockquote> <p>You don't need to have an <code>html</code> tag in the code to set a property on it; dropping a <code><style>html { intrinsic-size: auto; }</style></code> into the srcdoc string suffices, since the <code>html</code> element gets auto-created by the HTML parser.</p> <blockquote> <p>Looking at this again it struck me there's no success/failure indication for the caller of window.resizeTo(). Not sure if we can return a promise there that resolves with the new/unchanged dimensions, but that would probably be desirable I suspect.</p> </blockquote> <p>It currently returns <code>undefined</code>, so there's a decent chance it's upgradeable, actually. </p> <p>However, I'm not certain that it would be useful vs just listening for "resize" on their own window. Fulfilling the promise when the event isn't canceled doesn't tell the iframe that it's been resized, it just indicates that its "from-element intrinsic size" has been updated; whether or not this actually results in a size change for the iframe depends on the containing page's layout. Similarly, rejecting it when the event is preventDefault()'d doesn't tell the iframe that it won't be resized, just that its "from-element intrinsic size" isn't going to be updated. I just can't think of anything that an iframe'd page can meaningfully do in response to this, regardless of whether it's fulfilled or rejected.</p> <p>On the other hand, the "resize" event on <code>window</code> gives you actionable information at all times, regardless of how the resizing took place.</p> <blockquote> <p>Most cases I can think of will only want the height to change (the parent pages design tends to define the width). So maybe the CSS (min-|max-)?(width|height) might be relevant here?</p> </blockquote> <p>Yeah, since this would only affect the "intrinsic size" of the iframe, which is a very weak size input into the layout algorithms, almost anything the author in the outer page does will override and let them have whatever level of control over sizing they wish.</p> <blockquote> <p>Also, do you consider the use of contain-intrinsic-size: from-element X Y to be required, considering allow=resize is granting permission to change the size? or is it just providing the default size?</p> </blockquote> <p>Not <em>strictly</em> required, but without it, it's not clear what the intrinsic size should be before the first <code>resizeTo()</code> call. We could assume 300x150 (the current default), I suppose, but that's probably rarely a useful starting size anyway?</p> <p>I think requiring it also plays slightly better into the generalized feature, where I want to allow <code>textarea</code> to resize based on its content; making the feature consistently activate with a particular property invocation might make it easier to learn and remember, rather than some elements having special ways of triggering the same behavior.</p> <p>I could probably be convinced otherwise, tho.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/prlbr"><img src="https://avatars.githubusercontent.com/u/11777434?v=4" />prlbr</a> commented <strong> 3 years ago</strong> </div> <div class="markdown-body"> <blockquote> <p>You don't need to have an <code>html</code> tag in the code to set a property on it; dropping a <code><style>html { intrinsic-size: auto; }</style></code> into the srcdoc string suffices, since the <code>html</code> element gets auto-created by the HTML parser.</p> </blockquote> <p>Ah, good. Is there a reason why a <code>srcdoc</code> should have to explictly opt-in though? The person or script which generates the containing document has also full control over the srcdoc, since it is a part of the containing document. Having to opt-in from inside the srcdoc and from outside seems redundant in this case.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/craigfrancis"><img src="https://avatars.githubusercontent.com/u/1296695?v=4" />craigfrancis</a> commented <strong> 3 years ago</strong> </div> <div class="markdown-body"> <p>@tabatkins Thanks for the background on intrinsic size, that really makes sense.</p> <p>I think a default <code>contain-intrinsic-size</code> would be useful, only because 3rd party services could say "You can include our thing <em>safely</em> on your website with":</p> <pre><code><iframe src="https://..." allow="resize"></iframe></code></pre> <p>I'd rather not see them adding (unsafe-)inline styles to their example/template, or making assumptions on what would be appropriate for the page it will appear on. Maybe browsers could use <code>iframe[allow~=resize] { contain-intrinsic-size: from-element 300px 150px; }</code> in their default style sheet, so developers would see it in their dev-tools, find out what it does, and/or hopefully notice they are getting a weird resize/reflow on page load, and copy/customise it for their website (while the remove the border, set a width, and maybe a max-height).</p> <p>And yes, they would need it for a <code><textarea></code> (I like this suggestion as well), but I suspect many developers would be doing a copy/paste/tweak, rather than learning/remembering.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/tabatkins"><img src="https://avatars.githubusercontent.com/u/682840?v=4" />tabatkins</a> commented <strong> 3 years ago</strong> </div> <div class="markdown-body"> <p>Yeah, I suppose having it set in the UA stylesheet on resizable iframes would work fine; there's already sufficient indication of intent from the attribute, after all. And that way, the style is observable from the DevTools, so it's not too hard to see what you need to change to modify the behavior yourself.</p> <blockquote> <p>Is there a reason why a srcdoc should have to explictly opt-in though? The person or script which generates the containing document has also full control over the srcdoc, since it is a part of the containing document. Having to opt-in from inside the srcdoc and from outside seems redundant in this case.</p> </blockquote> <p>It's a little magic, which I'm always wary of, but srcdoc <em>is</em> explicitly designed for usability, so it might be okay to auto-inject that style into a srcdoc'd iframe at the UA level (so the srcdoc document could easily override it necessary).</p> <blockquote> <p>A lot of times my own sandboxed content will be on a different origin; it is on a different origin specifically to help with the sandboxing. I'm not sure how much need there is for optimizing the same-origin case; it might even be a bad idea, if it encourages people to host their untrusted content in the same origin.</p> </blockquote> <p>A fair concern, but I think the risk of people doing the fairly-obviously-harmful thing of putting untrusted content on unsandboxed same-origin is worth the benefit to authors of allowing resizing to work for same-origin or srcdoc content without script being required. It's not like it's a single line of script, either; you need to regularly poll for changes to your content size.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/fantasai"><img src="https://avatars.githubusercontent.com/u/725717?v=4" />fantasai</a> commented <strong> 3 years ago</strong> </div> <div class="markdown-body"> <p>Rather than minting a new property <code>intrinsic-size</code> that's only useful for this case and is set on the root, can we re-use the standard sizing properties? Like if the root of the contained page says <code>max-content</code>, then we pass up its max-content size. And if it says <code>500px</code> then we pass up 500px. I doubt there's many pages setting sizes on the HTML element, and of those that are, I imagine few would be disturbed by being put in an iframe of their chosen size.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/tabatkins"><img src="https://avatars.githubusercontent.com/u/682840?v=4" />tabatkins</a> commented <strong> 3 years ago</strong> </div> <div class="markdown-body"> <p>Yeah, that might be reasonable.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/css-meeting-bot"><img src="https://avatars.githubusercontent.com/u/27466577?v=4" />css-meeting-bot</a> commented <strong> 3 years ago</strong> </div> <div class="markdown-body"> <p>The CSS Working Group just discussed <code>[css-sizing] Auto-resize iframes based on content</code>.</p> <details><summary>The full IRC log of that discussion</summary> <astearns> topic: [css-sizing] Auto-resize iframes based on content<br> <TabAtkins> https://github.com/w3c/csswg-drafts/issues/1771<br> <TabAtkins> github: https://github.com/w3c/csswg-drafts/issues/1771<br> <fantasai> TabAtkins: Fairly old issue, #1171<br> <fantasai> TabAtkins: originated in HTML in the form of 'seamless' attribute on iframes<br> <fantasai> TabAtkins: meant to allow isolating parts of a page, but still lay them out as if in the page<br> <fantasai> TabAtkins: there were a bunch of issues, dropped from HTML<br> <fantasai> TabAtkins: core ideas still requested by people, in various variants<br> <fantasai> TabAtkins: We believe there's a useful and safe set of resizing behavior that we could expose now<br> <fantasai> TabAtkins: that would solve some of the use cases<br> <TabAtkins> https://github.com/w3c/csswg-drafts/issues/1771#issuecomment-805117925<br> <fantasai> TabAtkins: Core idea is that just the resizing portion of seamless is value<br> <fantasai> TabAtkins: But security issues around being able to tell the size of 3rd-party content<br> <fantasai> TabAtkins: bare minimum, different sizes of content depending on logged in or not<br> <fantasai> TabAtkins: So should only be allowed to take size of 3rd-party content if it wants to allow that<br> <fantasai> TabAtkins: Another problem, if 3rd-party page can trigger resizing without consent of containing page, can create problems as well<br> <fantasai> TabAtkins: So 2-way agreement on sizing<br> <fantasai> TabAtkins: First, outer page needs to opt into resizing based on iframe content<br> <fantasai> TabAtkins: Suggestion is to use new 'resize' value in 'allow' attribute<br> <fantasai> TabAtkins: Then for 3rd-party content, there's a window.resizeTo() method which is a no-op in iframes<br> <fantasai> TabAtkins: Inner page can request such sizes<br> <fantasai> TabAtkins: using this API<br> <fantasai> TabAtkins: Whenever inner page wants a resize, triggers an event on iframe which bubbles up<br> <fantasai> TabAtkins: if not prevetnDefault, then the iframe changes it's size<br> <fantasai> TabAtkins: if cancelled, doesn't change size<br> <fantasai> TabAtkins: This allows control over layout behavior across the page<br> <fantasai> astearns: Possible scripts using resizeTo() and relying on the fact that it does nothing?<br> <fantasai> TabAtkins: it's a no-op currently, so don't think so<br> <fantasai> TabAtkins: ... [ missed ]<br> <fantasai> astearns: Making page decide to allow event or not, already in place due to opt-in to resize behavior<br> <fantasai> cbiesinger: Nothing sounds like CSS thing<br> <fantasai> TabAtkins: kinda sorta<br> <florian> q+ to ask at which level of sizing this works. natural size of the iframe? something else?<br> <fantasai> TabAtkins: it's a cross-spec thing, does interact with CSS by adjusting intrinsic size of iframe<br> <gregwhitworth> q+<br> <fantasai> TabAtkins: gets into issue of same-origin content<br> <TabAtkins> fantasai: YOu wanted a 2-way handshake for security<br> <TabAtkins> fantasai: resizeTo() gives you 2-way for page consenting<br> <TabAtkins> fantasai: If that page is already firing resizeTo() and expecting it not to ahve sec implications<br> <TabAtkins> fantasai: I don't think paying attention to resizeTo() would break the framed page...<br> <TabAtkins> fantasai: But if they're asking for it and it's currently not changing size, the outer page probably isn't expecting a problem.<br> <gregwhitworth> q--<br> <gregwhitworth> ack gregwhitworth<br> <TabAtkins> fantasai: [clarifying] the issue isn't an attack due to sizing, it's a possibly unexpected info leak from the frame'd page, leaking the size it wants to size to<br> <astearns> ack fantasai<br> <fantasai> florian: currently, calling resizeTo() doesn't leak information<br> <fantasai> TabAtkins: could check if stuff in iframes do this currently...<br> <fantasai> fremy: It's not about stuff currently in iframes, but a page could put *anything* into an iframe<br> <fantasai> fremy: which would leak information from that page, which was not intended to be in an iframe<br> <fantasai> florian: resizeTo() doesn't have an effect on pages that are loaded into a window with multiple tabs<br> <fantasai> florian: for exactly this reason: it would leak information about that page to other pages in the same window<br> <astearns> ack florian<br> <Zakim> florian, you wanted to ask at which level of sizing this works. natural size of the iframe? something else?<br> <fantasai> florian: opening up this leak through iframes is similarly bad (worse maybe)<br> <iank_> another path would be an additional dictionary argument to resizeTo, e.g. window.resizeTo(100, 100, {something: true});<br> <fantasai> TabAtkins: Yeah, OK, we need to think about that more. Maybe needs a new API<br> <fantasai> +1 iank_<br> <fantasai> florian: In the case where resize does work, thing it affects is the natural size, right?<br> <fantasai> TabAtkins: Yes. Right now iframes have natural size of 300x150, and this would change that<br> <fantasai> TabAtkins: totally controllable, it's the weakest size input possible<br> <fantasai> fremy: [missed]<br> <fantasai> TabAtkins: currently iframes do not have an aspect ratio<br> <fantasai> TabAtkins: Ability to infer an aspect ratio is an interesting possibility<br> <jensimmo_> q+<br> <fantasai> florian: As long as we're there, should we specify min size and max size separately<br> <fremy> s/[missed]/do iframes have an aspect-ratio applied to that intrinsic size?<br> <fantasai> TabAtkins: Interesting. Not unreasonable to consider.<br> <emilio> q+<br> <astearns> ack jensimmo_<br> <fremy> q+<br> <fantasai> jensimmo_: Curious about use cases<br> <fantasai> jensimmo_: All I can think of is what ad networks will do, and I don't like those thoughts.<br> <fantasai> TabAtkins: There's another proposal for 1st-party content, which addresses more use cases<br> <fantasai> TabAtkins: but even within 3rd-party stuff, currently they do this resizing already, just with postMessage back and forth<br> <fantasai> TabAtkins: This would standardize that<br> <fantasai> TabAtkins: There's also things like Disqus, which does such special-case postMessage things<br> <fantasai> TabAtkins: which is complicated and no standardized way to handle across multiple systems<br> <smfr> q+<br> <fantasai> TabAtkins: YouTube player, e.g., might want to do this. CodePen might want to ask for sizes on its examples. Anything that wants to embed, has a reasonable use case for wanting to request a particular size and have it potentially honored by containing page<br> <fantasai> jensimmo_: If goal is to reduce jankiness of ad network...<br> <fantasai> TabAtkins: that is one goal, but not all of it!<br> <leaverou_> need to drop off briefly for another call, but I'm very supportive of this, and I hope we can find a way to implement it in a privacy and security preserving way.<br> <astearns> ack emilio<br> <fantasai> emilio: How do you react to resize in parent page when using the API?<br> <fantasai> emilio: User shrinks the page, need to somehow coordinate between both. No auto size, only fixed intrinsic size<br> <fantasai> TabAtkins: I don't think there's a reasonable direct analog to block auto-sizing ..<br> <fantasai> emilio: I guess at that point... You don't really need JS on the parent page to get auto height<br> <fantasai> emilio: If you require JS on the parent page then it's not great<br> <fantasai> emilio: So inner page can send resizeTo() whenever it gets Resize event<br> <fantasai> emilio: and then containing page doesn't need to do anything ...<br> <fantasai> emilio: [missed]<br> <fantasai> TabAtkins: possible this makes it easy enough that it's a concern<br> <fantasai> emilio: resize event ... your own resize event<br> <fantasai> TabAtkins: I suspect that's something that would show up fairly quickly<br> <fantasai> emilio: It only consumes CPU, not while:true. I send a message, it resizes me, sends a message back. Code keeps working, just uses a ton of CPU<br> <fantasai> emilio: It's a bug in the page, but.<br> <fantasai> TabAtkins: no-op loops can't happen because if the iframe's resizeTo() doesn't change its size, won't get an event because size didn't change.<br> <fantasai> TabAtkins: Either it'll grow or shrink infinitely, or will jiggle, which should be noticeable<br> <fantasai> emilio: Concerned about e.g. floating point issues, and rounding errors<br> <fantasai> emilio: I've seen that kind of stuff happen<br> <iank_> we also already have the "jiggle" problem today with frame by frame resize-observers.<br> <fantasai> if not causing change in size, then shouldn't cause a problem<br> <fantasai> fremy: can't put a breakpoint in the main page to figure it out because no JS<br> <fantasai> fremy: Already have these kinds of bugs today<br> <astearns> ack fremy<br> <fantasai> smfr: The HTML5 event loop spec is very specific about when resize steps happen<br> <fantasai> smfr: when we spec this, we need to spec it in terms of that event loop spec<br> <fantasai> smfr: Nobody mentioned resizeobserver yet<br> <fantasai> smfr: it's designed to avoid infinite recursion<br> <fantasai> smfr: we might need something here with nested iframes, so don't get into crazy infinite resizing<br> <dholbert> q+<br> <fantasai> TabAtkins: yes, want to handle events in descending order like resizeobserver does<br> <fantasai> TabAtkins: need some thought to ensure not creating bad cross-tree resizing behaior<br> <fantasai> TabAtkins: Not too concerned about page vs iframe vibration, but much worse if grandparent grandchild interactions cause problem, because then nobody knows what's going on<br> <fantasai> fremy: Main question here was, I guess point of allow attribute is to allow resize<br> <fantasai> fremy: External page wants to allow iframe to resize<br> <fantasai> fremy: Not sure I understand point of resize function<br> <dholbert> q-<br> <fantasai> fremy: why not some CSS value that allows resizing by containing page<br> <fantasai> fremy: reason I think about htat is that resize takes 2 arguments, width and height.<br> <fantasai> fremy: not that interesting to change intrinsic width of iframe<br> <gregwhitworth> +1 to fremy<br> <fantasai> fremy: why not say that "I'm fine with my scrollHeight to be reported to the containing page"<br> <fantasai> iank_: scrollHeight isn't always what you want<br> <fantasai> fremy: could be something smarter, max-content maybe<br> <astearns> q?<br> <fantasai> TabAtkins: Second part of proposal also, about same-origin content and no-JS solution<br> <fantasai> smfr: Other point, iframe calls resizeTo() and has to provide a size. What size should it provide? does it doe getBoundingClientRect() on the body or what?<br> <fantasai> smfr: Is there some convenient way to get the height of the content?<br> <fantasai> TabAtkins: For 1st-party content, making it easy. But for 3rd-party content wanted to be more explicit<br> <fantasai> TabAtkins: But maybe we can reduce that restriction<br> <fantasai> TabAtkins: 2nd part of proposal is about same-origin content<br> <fantasai> TabAtkins: right now, minimum solution still requires some JS on the framed page (not containing page)<br> <fantasai> TabAtkins: but for same-origin content, there's a certain degree of implicit trust we can rely on<br> <fantasai> TabAtkins: and might not require auditing<br> <fantasai> TabAtkins: for this, I propose that on a 1st-party iframe, or something that's srcdoc<br> <fantasai> emilio: srcdoc is not ?<br> <fantasai> emilio: data URIs are<br> <fantasai> TabAtkins: sorry, I'm thinking about sandbox<br> <gregwhitworth> q+<br> <fantasai> TabAtkins: In my original proposal, I had a new property that could be set on the root element to set the requested intrinsic size for each axis (auto | <length>)<br> <emilio> q+<br> <fantasai> TabAtkins: page could opt into ? via 'from-element' keyword, providing fallback length<br> <fantasai> TabAtkins: fantasai later suggested the page could just set an explicit width/height on the HTML element<br> <fantasai> TabAtkins: Possibly we don't need to mint a new property, can just take from the root element<br> <fantasai> TabAtkins: if that's problematic from existing, maybe mint something new<br> <fantasai> TabAtkins: but either way, that'll allow getting the size without JS<br> <fantasai> TabAtkins: Just set allow=resize, and inner page does whatever it needs to do<br> <fantasai> TabAtkins: and those sizes automatically communicate back and forth<br> <fantasai> TabAtkins: acts like an element, no JS required<br> <TabAtkins> https://github.com/w3c/csswg-drafts/issues/1771#issuecomment-805117925<br> <fantasai> fremy: that only works in 1D, right? you can't do both dimensions<br> <fantasai> fremy: then you wouldn't get the resize<br> <fantasai> fremy: if you get width + height, wouldn't know you need more space<br> <fantasai> TabAtkins: If you set both to auto, you'll need to rely on outer page to set your width...<br> <fantasai> fremy: ah, ok, make sense<br> <fantasai> iank_: I don't think that width/height on HTML will work, because people do set an explicit width on HTML and use e.g. auto margins to center<br> <fantasai> iank_: HTML is not the root, bit of disconnect<br> <fantasai> iank_: likely for auto behavior, might want something like scrollWidth/scrollHeight as was discussed<br> <fantasai> iank_: There's a little bit of danger here<br> <fremy> +1 to scrollWidth/scrollHeight (adjusted if necessary)<br> <fantasai> iank_: you might get content that, if you have a fixed-position content that rises to ICB, and has height 120%, could create an infinitely-growing iframe that way?<br> <fantasai> iank_: I'm not too concerned about that<br> <fantasai> TabAtkins: Yeah, need to think about loop detection...<br> <fantasai> fremy: we can set a threshold, if you fire too many resize events in a certain amount of time don't allow it or whateer<br> <fantasai> iank_: That might block some valid use cases. E.g. comment expansion might want to animate growing<br> <gregwhitworth> resizeObserver has the same error handling<br> <astearns> ack gregwhitworth<br> <fantasai> gregwhitworth: Effectively what you just outlined is something we wanted at Salesforce. All over the web ppl using Salesforce but not aware of it.<br> <fantasai> gregwhitworth: would like to see ???<br> <fantasai> gregwhitworth: enable this auto behavior for cross-origin<br> <fantasai> gregwhitworth: if a grid with min/max content, how can I lay out my content and pass back my height<br> <astearns> s/???/network headers/<br> <fantasai> gregwhitworth: I can work it out in JS, but want it automatic<br> <fantasai> TabAtkins: Reason restricted right now is trying to be cautious<br> <fantasai> gregwhitworth: we could write blog posts about how to do it, but would rather not<br> <fantasai> TabAtkins: I would want to have more security eyes on it<br> <fantasai> gregwhitworth: ...<br> <fantasai> emilio: There is some kind of precedent for this, loading a doc and sizing it intrinsically, which is SVG<br> <fantasai> emilio: Even if the SVG is not an actual image, if you have an object tag with SVG source, that's actually a document that's ...<br> <fantasai> emilio: in FF and Chrome at least, that size is intrinsic to SVG's viewbox<br> <fantasai> emilio: it would be good to figure out if there's something that we need to learn from that or not<br> <fantasai> emilio: that's probably legacy behavior<br> <fantasai> emilio: While we were doing ??<br> <fantasai> emilio: I just wanted to mention that precedent<br> <fantasai> emilio: I think those can run script, even if SVG<br> <dlibby> s/??/site isolation/<br> <fantasai> TabAtkins: A few people in thread mentioned OBJECT<br> <fantasai> TabAtkins: If currently allows that behavior and think it's OK, then maybe can allow it<br> <fantasai> TabAtkins: I haven't thought about it yet<br> <astearns> ack emilio<br> <astearns> ack fantasai<br> <TabAtkins> fantasai: on the topic of 3rd party sizing info without JS, I think i tmakes sense to allow<br> <TabAtkins> fantasai: If both the container and the inner page have explicitly allowed for it<br> <TabAtkins> fantasai: That indicates trust between the two<br> <TabAtkins> fantasai: For doing it declaratively, Ian's pointa bout width/height on root not being what we want makes sense<br> <TabAtkins> fantasai: Tab mentioned setting a property giving the behavior explicitly<br> <TabAtkins> fantasai: I don't think that's a CSS property, it's more of a security handshake<br> <gregwhitworth> +1 fantasai<br> <dholbert> q+<br> <TabAtkins> fantasai: So maybe an attribute on <html> that opts the iframe'd page into the behavior<br> <TabAtkins> fantasai: And would let you specify which size you want (scroll height, border-box height, etc)<br> <fantasai> fantasai: I think the size shouldn't be specified in HTML, should be in CSS; but allowing this should be an HTML attribute<br> <fantasai> dholbert: Should any page on the internet be able to get that info?<br> <fantasai> dholbert: maybe same-origin addresses it<br> <fantasai> dholbert: don't want to allow inadvertent stealing of info from the page<br> <fantasai> TabAtkins: right, which was why I initially wanted to disallow it<br> <fantasai> TabAtkins: and fantasai was talking about explicit opt-in<br> <fantasai> TabAtkins: I think there's some kind of iframing options setting?<br> <fantasai> iank_: There's ??? HTTP Header which restricts which origins you can be embedded in. Most banks etc. use that.<br> <fantasai> TabAtkins: requiring that, reasonable thing to start with<br> <fantasai> iank_: would need to set Access-control: allow-origin or whatever<br> <fantasai> astearns: Sounds like you got some good feedback, something to work on<br> <fantasai> TabAtkins: plan is that parts of this that relevant to CSS would go to contain spec<br> <fantasai> TabAtkins: and sizing spec<br> <fantasai> TabAtkins: to talk about natural size being controllable this way<br> <fantasai> TabAtkins: if we do have a new property... probably in sizing? maybe contain?<br> <fantasai> TabAtkins: rest will be pursued in HTMLWG<br> <fantasai> astearns: Should CSS part depend on the HTML part being accepted?<br> <fantasai> TabAtkins: sure<br> <myles> q+<br> <astearns> ack dholbert<br> <astearns> ack myles<br> <fantasai> myles: This entire discussion about how / technical considerations. Not about whether to do it all.<br> <fantasai> myles: Want to make sure that it's not a foregone conclusion that we should do this.<br> <fantasai> TabAtkins: Decent part of this was sussing out whether there's interest in doing this<br> <fantasai> TabAtkins: seems people are interested<br> <fantasai> TabAtkins: I suspect discussion in HTMLWG will be more contentious<br> <fantasai> TabAtkins: OK to object over there :)<br> <fantasai> astearns: but feel free to object over here also, if you think it's a terrible idea!<br> <fantasai> TabAtkins: We don't have any major internal partners clamoring for this, it's an old issue that's a frequent author requested, and we found a way to address an important part of it<br> <TabAtkins> <br dur=12min><br> <fantasai> <br duration=12min><br> </details> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/SebastianZ"><img src="https://avatars.githubusercontent.com/u/958943?v=4" />SebastianZ</a> commented <strong> 3 years ago</strong> </div> <div class="markdown-body"> <p>@jensimmons Because you had strong concerns against this. Let me note again that there <em>are</em> use cases besides the ad frameworks one.</p> <p>The company I work for has different websites based on different server software stacks. Though all of them share specific widgets on special occasions. These widgets are surved from a general internal domain and embedded via iframes. We are currently using the <code>postMessage()</code> method mentioned by several people here in this thread for resizing the iframes to avoid the scrollbars to be shown.</p> <p>So therefore I'd also welcome this feature. Regarding security, as discussed already, it needs to be ensured that both sides express trust in each other.</p> <p>Sebastian</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/felixfbecker"><img src="https://avatars.githubusercontent.com/u/10532611?v=4" />felixfbecker</a> commented <strong> 3 years ago</strong> </div> <div class="markdown-body"> <p>Here's a popular example, to support my point that I think it would overall <em>increase</em> security of the web to make this possible:</p> <p>GitHub recommends embedded <em>Gists</em> into other websites using a <code><script></code> tag.</p> <p><img src="https://user-images.githubusercontent.com/10532611/113852044-662f4b80-979c-11eb-9bb1-4b6f8c54b95e.png" alt="image" /></p> <p>If we look at what that script does, e.g. <a href="https://gist.github.com/olafurpg/94e0e735ceda0a355fa7e226c1431466.js">https://gist.github.com/olafurpg/94e0e735ceda0a355fa7e226c1431466.js</a>, we see that all it does is use <code>document.write()</code> to add a CSS styleheet and output HTML with the Gist. There is no reason this would have to need a <code><script></code> tag, other than that if embedding worked through an <code><iframe></code>, there would be no easy way for GitHub to resize it based on the Gist size (not without telling embedders to add JS to their page that communicates through <code>postMessage()</code>, which is too much to ask for). So instead, they go with a simple <code><script></code> tag. </p> <p>What does this mean for security? That script can execute any JS in the context of the page and has full control of the DOM. Gists are user content, and that user content is escaped by the GitHub backend and put into the string passed to <code>document.write()</code>. If there is <em>any</em> bug in that escaping logic, a malicious user could craft a Gist that doesn't escape properly and injects arbitrary JS into any page embedding the Gist. And if you get access to someone's GitHub account, you can change Gists that are already embedded somewhere (e.g. it's the most common method to embed code snippets in Medium blog posts).</p> <p>I think this is a huge security flaw "forced" by the shortcomings of the platform atm.</p> <p>Now imagine if GitHub could simply use <code><iframe></code>s. They would be sandboxed and the JS could get compromised as much as you want - it could never affect the parent page (besides growing in size, which is easy to control with CSS from the outside, even with a <code>style</code> tag on the snippet that GitHub would recommend).</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/craigfrancis"><img src="https://avatars.githubusercontent.com/u/1296695?v=4" />craigfrancis</a> commented <strong> 3 years ago</strong> </div> <div class="markdown-body"> <p>Regarding "use cases" - Consider all 3rd party content, like user comments (disqus), videos, maps, tweets, facebook feeds, calendars, gists, ads, etc... it would be much safer if they were in an <code><iframe></code>, using their own isolated process (<a href="https://w3c.github.io/webappsec-post-spectre-webdev/">ref spectre</a>), and did not involve the host website including an unsafe/dangerous 3rd party <code><script></code> (which grants far too much access).</p> <p>I should also note that before <a href="https://developer.apple.com/documentation/safari-release-notes/safari-13-release-notes#Removed-Features">Safari 13 on iOS</a>, iframes were re-sized automatically (to avoid the scroll bar), with none of these security considerations.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/domenic"><img src="https://avatars.githubusercontent.com/u/617481?v=4" />domenic</a> commented <strong> 3 years ago</strong> </div> <div class="markdown-body"> <p>Heya, @chrishtr asked me to take a look at the proposal here to give my thoughts. Based on <a href="https://github.com/w3c/csswg-drafts/issues/1771#issuecomment-805117925">https://github.com/w3c/csswg-drafts/issues/1771#issuecomment-805117925</a> and some subsequent ones here is what comes to mind:</p> <ul> <li> <p>Using <code>resizeTo()</code>, instead of e.g. a HTTP header, is a nice trick and should make this more usable for people.</p> </li> <li> <p>It seems like there are two opt-ins on the outer side: first, you have to set <code>allow="resize"</code>, and second, you have to actually use the <code>from-element</code> keyword. I don't know if we need both of these. I would probably cut the <code>allow="resize"</code> since the CSS <code>from-element</code> seems nice and versatile.</p> </li> <li> <p>The dance where the parent is allowed to cancel the event seems potentially tricky to implement and could cause slowness, for out-of-process iframes. You would need to send an IPC to the parent frame to fire the resize event, which would then send an IPC to the child frame telling it the result, before any resizing actually happens. It seems doable, but maybe worth considering whether or not running a full JS function here is really needed. The alternative is basically trusting any iframe that you set <code>contain-intrinsic-size: from-element</code> on, plus you could impose declarative constraints (e.g. <code>max-width</code>/<code>max-height</code>).</p> </li> <li> <p>However, I'll note that <code>window.resizeTo()</code> is already async (<a href="http://software.hixie.ch/utilities/js/live-dom-viewer/?saved=9599">test</a>). So there's at least some precedent for resizes not taking effect synchronously. It just might be bad for users if resizes are slower than they need to be.</p> </li> <li> <p>+1 to the promise return value not making too much sense, because the resize only had an effect if the outer page uses <code>from-element</code>.</p> </li> <li> <p>This whole feature needs to not work for situations like <a href="https://github.com/shivanigithub/fenced-frame/">fenced frames</a> or <a href="https://github.com/WICG/portals">portals</a> where we also censor postMessage(). That seems fine.</p> </li> <li> <p>I would not auto-inject into srcdoc; that seems strange.</p> </li> <li> <p>+1 for strong event loop/ResizeObserver integration at the spec level. I don't think this should be too hard.</p> </li> <li> <p>I can't quite tell from the minutes but it seemed like people might be saying there's precedent for not requiring an embedee opt-in, and thus we should consider not requiring it for this feature? That'd be a very bad cross-origin information leak so please don't do that.</p> </li> </ul> <p>I hope this helps, and would look forward to working on this feature with you all!</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/LB--"><img src="https://avatars.githubusercontent.com/u/1296838?v=4" />LB--</a> commented <strong> 3 years ago</strong> </div> <div class="markdown-body"> <p>It's been briefly mentioned earlier in the thread, but being able to support this without any scripting at all would also be great. It would allow treating an iframe as if it were just an ordinary block element in the page, complete with dynamic resizing just based on CSS alone. In theory it could also perform better as no JavaScript handshake would be necessary.</p> <p>In fact, since JavaScript can already resize a page as desired, I'm not sure why separate new communication methods are needed if a scriptless method is available: the page in the iframe could just resize itself and the parent would not need to differentiate between a resize caused by CSS only or a resize caused by JavaScript.</p> <p>I think the talk of using a header to opt-in from the embedee side was specifically intended to support the noscript scenario.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/matthew-dean"><img src="https://avatars.githubusercontent.com/u/414752?v=4" />matthew-dean</a> commented <strong> 3 years ago</strong> </div> <div class="markdown-body"> <p>@LB-- </p> <blockquote> <p>It's been briefly mentioned earlier in the thread, but being able to support this without any scripting at all would also be great.</p> </blockquote> <p>This would be ideal -- if an iframe could be treated like a type of inline block content that just resizes based on vertical (and/or horizontal?) overflow (and depending on whatever security measures are needed to whitelist the iframe). A script could therefore just change the CSS property to set resizing behavior.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/domenic"><img src="https://avatars.githubusercontent.com/u/617481?v=4" />domenic</a> commented <strong> 2 years ago</strong> </div> <div class="markdown-body"> <p>Hi folks,</p> <p>@tabatkins, @chrishtr, and I spent some time working on this offline. We ended up with the explainer at <a href="https://github.com/domenic/cooperatively-sized-iframes">https://github.com/domenic/cooperatively-sized-iframes</a> . Summary:</p> <pre><code class="language-html"><iframe style="contain-intrinsic-size: from-element 500px 500px" src="iframe.html"></iframe>  <html requestedwidth="480" requestedheight="320"></code></pre> <p>We did manage to come up with a solution that doesn't require JavaScript in the simplest cases, where the iframe knows specific pixel values for the width and height it requests. But for dynamic resize-to-content, it's quite tricky, as discussed in our section <a href="https://github.com/domenic/cooperatively-sized-iframes#but-what-about-auto-resizing">"But what about auto-resizing?"</a>. (The basic problem is how it can cause infinite resize loops.) So the initial proposal would require JavaScript to hook up a ResizeObserver or similar and manipulate <code>document.documentElement.requestedWidth</code> and <code>requestedHeight</code>, <a href="https://github.com/domenic/cooperatively-sized-iframes#requests-from-the-inside">like in this example</a>.</p> <p>Feedback is welcome, either on that repository if you want to have a more focused discussion on individual aspects of the proposal, or here if you'd prefer that.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/chrishtr"><img src="https://avatars.githubusercontent.com/u/3453258?v=4" />chrishtr</a> commented <strong> 2 years ago</strong> </div> <div class="markdown-body"> <p>Agenda+ to propose adding the from-element syntax and <code>requestedwidth</code>/<code>requestedheight</code> attributes.</p> <p>Notes on <code>from-element</code>:</p> <ul> <li>It should (of course) apply to iframes</li> <li>Should it apply to <code>object</code> and <code>embed</code>? SVG embedded in these already have an intrinsic sizing capability similar to the proposed iframe thing.</li> <li>Should it apply to other replaced types such as image and video?</li> </ul> <p>I would propose it applies to all replaced elements which have a communicated intrinsic sizing, but I may be missing cases where this is not desirable.</p> <p>Notes on <code>requestedwidth</code> / <code>requsetedheight</code>:</p> <ul> <li>As noted in the explainer, this could also be a CSS property, or even a javascript method. We could discuss tradeoffs.</li> </ul> </div> </div> <div class="page-bar-simple"> <a href="/w3c/csswg-drafts/1771?page=2" class="next">Next</a> </div> <div class="footer"> <ul class="body"> <li>© <script> document.write(new Date().getFullYear()) </script> Githubissues.</li> <li>Githubissues is a development platform for aggregating issues.</li> </ul> </div> <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.min.js"></script> <script src="/githubissues/assets/js.js"></script> <script src="/githubissues/assets/markdown.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/highlight.min.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/languages/go.min.js"></script> <script> hljs.highlightAll(); </script> </body> </html>

w3c / csswg-drafts

[css-sizing] Auto-resize iframes based on content #1771