A partial archive of discourse.wicg.io as of Saturday February 24, 2024.

Allowing a parent window to provide modules to a child frame


A while ago, I posted an issue on the whatwg/loader repo about an idea that I think would be great for the web. That issue talks about a parent window hooking the loader for an iframe so that it can provide modules to the content in it, without an actual web request needing to take place or without the content knowing where the module is located. The issue didn’t gain much interest to generate a discussion, so I’m hoping to retry here.

I work for an ad serving company, I’m responsible for scripts that load advertiser-created content into publisher pages in iframes. Those iframes usually reference our API and lots of communication takes place between the host and the creative during the lifecycle of the ad. postMessage, in this situation, is not ideal (although we still use it), because we run scripts on pages that are not our own which means the messages from the creative to the top window can be intercepted or cause side-effects on the host page. MessageChannel might be a solution to this, if timing wasn’t difficult. If the child frame loads scripts asynchronously, we may send the MessagePort object in too soon, resulting in it being neutered.

One of the ways we get around some problems is providing configuration via JSON in the name attribute:

<iframe src='https://...' name='{ "foo": "bar", ... }'></iframe>
ad.config = JSON.parse(window.name);

// do something with ad.config

ES Modules provide a great opportunity here, in my opinion. Imagine if an iframe script could do this:

import creativeAPI from '@some-parent-identifier';
import config from '@another-parent-identifier';

If the parent can define these module identifiers for an iframe and either return an object (containing transferables or primitives), perhaps even callable async functions (that throw for security-sensitive arguments) or just a resolved URL, it could remove a huge chunk of complexity for situations like this.

It’s not just the evil ad tech industry that could benefit from this. Apps that run on Facebook could no longer require auth tokens and many web API requests could be eliminated (by providing the data directly from the host). eBay item descriptions also run in iframes, but aren’t allowed to reference external scripts. Embedded video players and other components could me simplified. There are many examples where iframes could be hugely improved by something this.

I don’t have a solid proposal together, I’m hoping to get some opinions and discussion around feasibility first.