-
Notifications
You must be signed in to change notification settings - Fork 303
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
autoresize iframes spec #29
Comments
We have something similar specified in Iframely protocol - https://github.com/itteco/oembed2/blob/master/4%20-%20Embed%20MIME%20types.md Have you seen it? |
In addition to Ivan: Example usage here: https://github.com/itteco/iframely/blob/master/plugins/domains/facebook.com/facebook.post.ejs But you are right, it needs to be more unified for common cases. Also we are looking at google plus posts embedding style: https://developers.google.com/+/web/embedded-post/ This method have flexibility and performance benefits on multiple embeds, but it also not so safe as iframe. I will think about you ideas. |
Usually widgets have static width, and height depends on amount of text. So it could be calculated only after render. And this is not so easy, because content can load dynamically and height will change permanently. We had problem with this in storify plugin. If widget has floating width - it will calculate height depending on configuration of iframe set by parent and media constraints. And the rest will be all the same as in previous case.
Maybe you mean ALLOWTRANSPARENCY? |
Oh, indeed. I haven't seen this. But it has a few problems: It uses objects, not strings. caniuse.org: "Internet Explorer 8 and 9, and Firefox versions 6.0 and below only support strings as postMessage's message." Especially IE 8 and 9 would be targets that should be supported. Look at the combined market share of IE 8 and 9: http://www.netmarketshare.com/browser-market-share.aspx?qprid=2&qpcustomd=0 Also the And then the message format is a bit generic. I would mark it somehow more unambiguously. In my example I prefixed the message data with I think the simpler the API, the more likely it will be implemented. Ok, my example needs a bit of a script on the side of the embedder, but it's not that big and can be embedded once without the need of adding logic that assigns |
Registering needed to control flow from parent window. Iframe can send signal before events in parent window will be set up. I don't know how critical could it be, but if all this managed by common lib - complexity is not so important. So its more about control - not to find who sent event. |
`overflow` and `background` - works inside iframe content as I know. How can it act in iframe from parent window? Maybe you mean ALLOWTRANSPARENCY? Ah, yes. I also mean allowtransparancy. But actually in my experience you have to set all these things (allowtransparency="true", background:transparent, scrolling="no", overflow:hidden) to be on the safe side. But yes, allowtransparency is missing in my example. Also it seems as if it's no longer supported with IE9. Updated: http://jsfiddle.net/nxUVp/11/ Also now I have second thoughts about some aspects of my example: You can do a lot of shenanigans with CSS. It should not only filter the property names, it should also filter the values (only allow certain value patterns), because e.g. in IE you can embed JavaScript expressions in CSS! So I guess: only allows width and/or height which have to be parsed by |
@nleush If the onmessage handler is registered in Because I think simplicity is important, here is a simplified version of my example: |
I like your ideas, Mathias. Having the need for iframe to register itself first isn't the nicest thing. However, we should keep in mind that the same mechanism we'd choose for auto-resizing will also be used for playback sync. Let us think a little more about your suggestions. The goal is to have simple, but not too ambiguous spec |
I agree. Anyway, I think the most important thing is to use strings instead of objects (IE8 and IE9 support) that are prefixed with something unique like |
Ok, lets see what separate problems we have.
Thats all. About 1. Now we support
And thats only two cases. About 2. As I told I want to have control over all iframes as a parent window. I had cases with async scripts loading in parent window. That's mean it would be +1 problem to bind head event and make queue with iframes messages. In my current solution you need one script and one function call to start managing iframes in page. No care when it called. If we listening to head, we need to make parent window use head script. Thats limitation to user. In case of complex async apps it could be a problem. From the other side: If we use iframely.js to render iframes, then it will be already initialized to listen iframes it created. Buy in case of server render we should force some script loading in head. So in both cases we have some explicit restrictions:
I don't have clear vision what is much better, but as I told - i think second case is more manageable. About 3. I use this http://www.onlineaspect.com/2010/01/15/backwards-compatible-postmessage/ code in all iframely libs. Its a bit truncated in iframely version, but its not a problem to return full version. Lets assume this code handles browser support and object->string->object conversion. |
One more problem we have with that - is detecting real window size inside iframe. Its not about spec, but more like: how and when detect content size. In common case iframely acts like following:
The biggest problem here is following: Iframe should have some (incorrect) size initially. And that size will be visible to user sometime (wait for content loaded). Its very ugly. Positive height allow iframe content be rendered and have real size with scrollbars. I tried to make initial Also I had problems with size change after scrollbar added or disappeared. You can play with that using plugins which use |
What if you make the iframe |
You could wrap the iframe in a div that has |
@panzi I've moved this into itteco/oembed2 repo. Please, join there. We are also discussing the initial handshake in itteco/oembed2#3 |
* fix: Dockerfile to reduce vulnerabilities (#29) The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-ALPINE315-ZLIB-2976173 - https://snyk.io/vuln/SNYK-ALPINE315-OPENSSL-3314621 - https://snyk.io/vuln/SNYK-ALPINE315-OPENSSL-3314622 - https://snyk.io/vuln/SNYK-ALPINE315-OPENSSL-3314629 - https://snyk.io/vuln/SNYK-ALPINE315-OPENSSL-3368753 Co-authored-by: snyk-bot <[email protected]> * Do rebase outside of the make instead * Use 22-alpine for docker --------- Co-authored-by: snyk-bot <[email protected]>
This is actually something you (iframely) cannot provide, but that has to be implemented by the embed service and the embed user. But I think someone should specify a way how such a thing can be done. Maybe this isn't the proper place for this, but where would that be? Anyway, I would propose this interface:
The embed sends a message like this on load:
iframely:style:
is a marker so that the site using the embed understands what to do with this message. The rest is encoded as a URL query string. A string is used instead of a JavaScript object because older browsers only support strings as message data.Note: The site parsing the message has to filter the style properties (only allow certain ones), so that the embed cannot do any shenanigans. Just allowing the ones used here should be ok. (Things like opacity and absolute/fixed position are not ok.)
Also for older IEs overflow and border have to be translated into scrolling and frameBorder. However, dynamically setting frameBorder="0" seems not to work in IE8, so it has to be done by the embed user anyway. The important things are width and height. Maybe only width, height, overflow and background should be supported?
Who needs this?
Embeds that should integrate more or less seamlessly into the parent page. E.g. Disqus, but also crowdranking when the user want's to use "auto-size" (so that the embedded ranking does not need scroll-bars). There was another service of which I forgot the name/URL. There you can host hole articles with images and what not. These also auto resize to their content.
Currently all these services use their own APIs that require the embed user to include scripts provided by the services, which I deem ugly and unsafe. If the message format for these tasks would be standardized this would not be necessary.
Browser Support
postMessage
has to be supported: http://caniuse.com/#search=postMessageInternet Explorer 8+ (witch the mentioned limitation on
frameBorder
for IE8), Firefox 3.0+, Chrome 4.0+, Safari 4.0+, Opera 9.5+ etc.There are hacks for old browsers that do not support
postMessage
, but they are extremely hackish and produce problems when the page has more than one embed. The hacks work like this: Communicate to the iframe the exact URL of the parent page, so that the iframe can then do:And the parent frame has to poll
location.hash
withsetTimeout
(because browsers that do not supportpostMessage
don't supportonhashchange
either). If two embeds set the parent's hash within the same poll interval one message is lost. Also there is no easy way to know which embed sent the message. Also pages that actually uselocation.hash
for their own purposes will have problems with this. So I wouldn't bother with this hack.Example
http://jsfiddle.net/fF9Hp/6/ (iframe)
http://jsfiddle.net/nxUVp/10/ (embed user)
The text was updated successfully, but these errors were encountered: