Feature Proposal: cross-origin rootBounds and rootMargin
Opened this issue · 0 comments
clelland commented
From w3c/IntersectionObserver#280:
In order to avoid leaking information about the parent page, IntersectionObserver doesn't allow rootBounds and rootOrigin when used from inside a cross-origin frame. As a result, libraries that run as a top-level script, but embed a cross-origin frame are having difficulty deploying.
We should add a frame-level opt-in so that this information can be exposed if the parent page is OK with it. We could do this via FeaturePolicy, embedded CSP, or a new attribute on iframe.
As a feature policy, I think this would be something like
Feature-Policy: bounds 'self' http://trusted-example.com
or
<iframe src="http://trusted-example.com/" allow="bounds"></iframe>
With a default allowlist of 'self' (so blocked by default in cross-origin embeds; available by default in same-origin content)