Skip to content

[css-sizing-4] Update responsive-iframes-explainer.md#13961

Merged
kojiishi merged 1 commit into
w3c:mainfrom
kojiishi:responsive-iframes-explainer-csp
May 28, 2026
Merged

[css-sizing-4] Update responsive-iframes-explainer.md#13961
kojiishi merged 1 commit into
w3c:mainfrom
kojiishi:responsive-iframes-explainer-csp

Conversation

@kojiishi

Copy link
Copy Markdown
Contributor

Replaced X-Frame-Options with Content-Security-Policy for the feedback.

@kojiishi

Copy link
Copy Markdown
Contributor Author

@chrishtr PTAL.


Information about the contents of a cross-origin iframe can be exfiltrated by embedding it in a malicious document that observes the laid-out size of the iframe. This can be mitigated through use of the the `X-Frame-Options` HTTP header to allow embedding into only trusted embedding documents, plus the `responsive-embedded-sizing` `<meta>` tag to further opt into responsive layout. Additional restrictions could be put in place through contents of the `<meta>` tag that would restrict to only explicitly allowed origins.
Information about the contents of a cross-origin iframe can be exfiltrated by embedding it in a malicious document that observes the laid-out size of the iframe.
This can be mitigated through use of the the `Content-Security-Policy` HTTP header to allow embedding into only trusted embedding documents,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
This can be mitigated through use of the the `Content-Security-Policy` HTTP header to allow embedding into only trusted embedding documents,
This can be mitigated through use of the `Content-Security-Policy` HTTP header's [`frame-ancestors` value](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/frame-ancestors) to allow embedding into only trusted embedding documents,

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, thanks for the suggestion.

@yisibl

yisibl commented May 26, 2026

Copy link
Copy Markdown
Contributor

Hi @kojiishi The CSS property has been switched to frame-sizing. Could you update it?
https://chromium-review.googlesource.com/c/chromium/src/+/7532195

@kojiishi kojiishi force-pushed the responsive-iframes-explainer-csp branch from 4b8b96c to cbe0a7a Compare May 28, 2026 08:21
@kojiishi

Copy link
Copy Markdown
Contributor Author

Hi @kojiishi The CSS property has been switched to frame-sizing. Could you update it? https://chromium-review.googlesource.com/c/chromium/src/+/7532195

Done, thanks.

Replaced `X-Frame-Options` with `Content-Security-Policy` for the [feedback].

Also updated the CSS property to the resolved one.

[feedback]: https://groups.google.com/a/chromium.org/g/blink-dev/c/zBx_uoW7jRQ/m/Ilm304IyBQAJ
@kojiishi kojiishi force-pushed the responsive-iframes-explainer-csp branch from cbe0a7a to d5add28 Compare May 28, 2026 08:23
@kojiishi kojiishi merged commit bb56a20 into w3c:main May 28, 2026
1 check passed
@kojiishi kojiishi deleted the responsive-iframes-explainer-csp branch May 28, 2026 08:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants