shindig-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kevin Brown" <e...@google.com>
Subject Re: Dynamic height with content type="url"
Date Thu, 07 Feb 2008 21:27:31 GMT
On Feb 7, 2008 1:08 PM, Cassie <doll@apache.org> wrote:

> Arun -
>
> I *think* Kevin was referring to the last part of this thread:
>
> http://mail-archives.apache.org/mod_mbox/incubator-shindig-dev/200802.mbox/browser
>
> I always get confused by the ifpc stuff :), but the main idea I gathered
> from that is that the gadget is no longer on a domain that we trust and
> control (because it is just whatever url the gadget specified). This means
> that we can't use the current solution for ifpc, where the whole parent
> page
> creates an iframe in the same domain as the gadget iframe and vice versa,
> because the parent page would have to create an iframe in the same domain
> as
> that random site. I believe that the ifpc_relay.html would also be a
> problem
> because we would have to trust that the gadget's site has the correct file
> up in the right place.


Sort of;  the issue is actually that the gadget can't trust the container.
There are other problems with out type=url support though, such as not being
able to handle inline or http-fetched javascript from features.

(I also gathered that we could eventually fix this though, it just wasn't
> trivial)


The latter problem can be, the former not so much. We'll have to standardize
some sort of white listing mechanism for the gadget authors so that they can
decide which parent containers that they trust to fetch javascript from.
Gadgets that don't need any container provided javascript (no user prefs, no
dynamic height or settitle support, no opensocial...) will work just fine,
but all the others won't.

~Kevin

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message