Does the web platform not consider users who want to block the loading of embedded web pages from other websites?
By blocking cross-site iframes by default, I get a blank box. What kind of experience is that?
So users are expected to always allow cross-site iframes, huh? That’s the only way? No alternatives? I hope that’s not true.
<iframe> needs to support fallback content when the document fails to load, for whatever reason.
Alternatively, if a cross-site iframe fails to load, the browser could allow the user to manually navigate to the
<iframe src> URL. For example, if an embedded YouTube video fails to load, the browser would give the user the option to open the video on YouTube’s website. In this case, the
<iframe src> URL can be opened in a separate tab, and it will play the video in embedded mode (simpler UI), but the user can then click the video title to open the video normally (with comments and everything).
This was already a thing. Not sure if the current WHATWG HTML spec mentions it but the HTML4 spec does. However, on sites where I’ve seen a fallback it has just been a generic “Your browser doesn’t support iframes” message.
The contents of the IFRAME element, on the other hand, should only be displayed by user agents that do not support frames or are configured not to display frames.
- Frames in HTML documents
Keep in mind that if you open the frame in a new tab it won’t be restricted by the iframe’s sandbox settings (a page can disable things like scripts and forms in a frame it embeds).
Aha. And since all browsers support iframes now, and there is no way to tell the browser to don’t load iframes, the behavior that you quoted has become nonexistent.
I have also noticed that if my browser extension blocks an iframe from loading, the browser won’t render the
<iframe> at all. It completely skips over the element, as if it didn’t exist in the HTML source.
edit: Ah, the extension is hiding the iframe in that case. Makes sense.