Last Comment Bug 631218 - implement the HTML5 seamless attribute for the iframe element
: implement the HTML5 seamless attribute for the iframe element
Helps against XSS
: dev-doc-complete, html5, sec-want
Product: Core
Classification: Components
Component: Layout: HTML Frames (show other bugs)
: Trunk
: All All
-- enhancement with 40 votes (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
: Jet Villegas (:jet)
Depends on: 80713 960563
Blocks: html5test
  Show dependency treegraph
Reported: 2011-02-03 06:08 PST by Michael[tm] Smith
Modified: 2016-07-17 19:29 PDT (History)
58 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description User image Michael[tm] Smith 2011-02-03 06:08:37 PST
User-Agent:       Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:2.0b11pre) Gecko/20110202 Firefox/4.0b11pre
Build Identifier: 4.0b11pre

"The seamless attribute is a boolean attribute. When specified, it indicates that the iframe element's browsing context is to be rendered in a manner that makes it appear to be part of the containing document (seamlessly included in the parent document)."

see also bug 80713 and details about related "moz-seamless"

Reproducible: Always

Steps to Reproduce:
[this is a feature request]
Comment 1 User image Tim Nguyen :ntim 2012-12-25 06:07:03 PST
It should be easy to implement, a small rule can be add into html.css :
iframe[seamless] {
The second part doesn't work but it should be something like this :
iframe[seamless] scrollbar {
Comment 2 User image rexyrexy2 2013-02-25 09:39:30 PST
this is a small rule that should Implement the border [border from ntim007] as well as the second part and makes most if not all values their default that could and should be added into html.css:

iframe[seamless], iframe[seamless="*"]:not([seamless="false"]):not([seamless="no"]) {
padding: 0px;
background-color: transparent;
Comment 3 User image wig_2006 2014-11-20 06:29:39 PST
I have HTML5 seamless iframe too , because UC Browser 9.9 support seamless iframe no prefix as release.

Link browser support -

Picture -
Comment 4 User image Bob Owen (:bobowen) (PTO until 25th Feb) 2014-11-20 06:42:01 PST
The navigation behaviour, when the seamless attribute is specified, relies on the source browsing context (see [1] step 3).
We have this now and set it fairly consistently, but not correctly in all cases.
Bug 960563 tracks this.

Comment 5 User image Zach Lym 2016-05-02 14:41:08 PDT
This has been removed from the current HTML5 spec[1] and this bug should probably be closed.

Comment 6 User image wig_2006 2016-05-06 05:42:59 PDT
(In reply to Zach Lym from comment #5)
> This has been removed from the current HTML5 spec[1] and this bug should
> probably be closed.
> [1]

Thanks you to result , I have to HTML5 spec to real standard.
Comment 7 User image :Ms2ger (⌚ UTC+1/+2) 2016-07-04 04:20:33 PDT
I noticed this was referenced in at least
Comment 8 User image Jean-Yves Perrier [:teoli] 2016-07-10 03:12:53 PDT
Good catch :ms2ger. Thx. Entry removed.
Comment 9 User image Ben Bucksch (:BenB) 2016-07-13 14:33:29 PDT
Per comment 7, the spec states:
> The following properties have been added: srcdoc, sandbox, seamless, and contentWindow.

Thus, the reason for WONTFIX was a misunderstanding. REOPENing on that ground.

More importantly, this is a critically important feature for the web. iframes are an important security container, and having them size to content is a requirement in many places.

One example is to take user contributed rich content, and render it as part of the page. Yet, the user content must not have access to the rest of the page. Concretely, if I was to write an email client as webapp, and I wanted to have a "conversation view" with consecutive emails, I would need this. I would jail each HTML email into a seamless iframe, and size the iframe to content, and then I could put 10 emails one after the other.

Current webapps work around this by trying to sanitize the HTML on the server side before display. That is one solution, and they should continue to do that, but we all know that there are plenty of XSS exploits. The seamless iframe would be a welcome additional protection.

The more apps migrate to the web, the more this is needed.
Comment 10 User image Olli Pettay [:smaug] (pto-ish for couple of days) 2016-07-13 15:00:43 PDT
The spec doesn't define seamless anymore, so I don't see how we can keep this open.
If you want seamless, file a spec bug and get it defined there.

(MDN seems to still mention seamless even though it isn't in the spec and was even removed from Chrome

Note You need to log in before you can comment on or make changes to this bug.