David Bruant wrote: > It seems like in theory, it could be possible to handle the content > of a cross-origin iframe in a specific Rust task (or bunch of tasks).
I thought Rust tasks were supposed to be very lightweight. If so, why not put every iframe in a separate task, whether it is same-origin or not? It would be interesting to get the telemetry to see how common the following kinds of pages are: 1. Page with no iframes 2. Page with only same-origin iframes (and how many such iframes) 3. Page with only cross-origin but same site (eTLD+1) iframes (and how many) 4. Pages with only cross-site iframes (and how many) > # Addendum: the special same origin iframe@sandbox case > > What I've described above only applies to cross-origin iframes. As it > happens, HTML5 introduced a sandbox attribute for iframes [2]. When > applied, the iframe is suddenly put in its own unique origin > (regardless of the origin inferred from its URL). So it could be > possible to consider sandboxed same-origin iframes as parallelizable. > Of course, in JavaScript, the parent of an iframe can, at any time, > remove the sandbox attribute or add the "allow-same-origin" to the > sandbox attribute (IIUC, this value gives back its origin to the > content of an iframe). The iframe sandbox spec says "These flags only take effect when the nested browsing context of the iframe is navigated. Removing them, or removing the entire sandbox attribute, has no effect on an already-loaded page [in the iframe]." So, having the isolation of an iframe depend on the value of the sandbox attribute seems like it would work as well as having it depend on the origin of the iframe. document.domain is one big reason why it may be most practical to implement such features on a same-site (same eTLD+1) basis instead of same-origin, if there is any reason to treat same-origin and cross-origin iframes differently in terms of task isolation. Cheers, Brian _______________________________________________ dev-servo mailing list dev-servo@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-servo
