Open emilio opened 2 years ago
If there are no useful attack vectors then I agree it should also be context-dependent in cross-origin iframes.
The CSS Working Group just discussed prefers-color-scheme and iframes
, and agreed to the following:
RESOLVED: Context-dependent color scheme propagation works for iframes (including cross-origin) unless specifically restricted
This is a follow-up for #7213.
It seems in that issue, we were in general agreement that doing this for images and maybe even same-origin
<iframe>
s would be ok, but @tabatkins and @smfr mentioned that cross-origin frames might not be ok, and I'm curious about the reasoning for that, since other similar alterations like https://github.com/w3c/csswg-drafts/issues/4772 have no same-origin restrictions. When I talked about this with the security folks at Mozilla, there didn't seem to be a particularly interesting attack vector here.This would be useful both for consistency, but also because it would allow use cases like https://github.com/w3c/csswg-drafts/issues/7213#issuecomment-1144016642 to work. Otherwise, there's no way to have a transparent iframe without coordination with the embedder page, even if the embedded page could support both light and dark color schemes.
cc @smfr, @chrishtr, @lilles, @tabatkins