Hacker News new | past | comments | ask | show | jobs | submit login

Put it in a safe iframe, whats the catch?



Everything. iframes can't fuck with you code, but they are 1. displayed in your page (is this a good idea, does this iframe agree with how your page will display it). 2. Is leaking information to this iframe (and consequently, that iframe's server that this email had been opened) a good idea (no. 100% it's not.). 3. Can someone else contrive another vector of page control or information leak that suits their motives and hasn't been considered a priori by you (also yes, 100%. Never underestimate the motivation or creativity of others).

Never, ever, EVER embed an iframe thinking it will make your life better.


Are most of these protected by sandboxed iframes? What kind if leak are you talking about? Referer leak? That is easy to fix, but what else?

I dont think email sender cares about how iframe is rendered. They currently render in a rectangle, and they will keep render in a rectangle.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: