usual live blogging caveats - spelling errors, messy, etc etc
@premasagar is visiting the Osmoplex today (thanks @jayfresh for arranging it) and is taking us through his work on iframes, widgets, and sandboxing. I’ve realised we could perhaps be collaborating as my jquery-iframe plugin is so close to his. Different emphases, but much overlap.
GitHub is where you can see what he’s been working on. Basically, this guy is a guru on all things iFrame. In particular, all the quirks around squirting dynamic content into iFrames, as opposed to pointing them elesewhere using “src”.
QUOTE OF THE DAY
“sqwidget is my tiddly”
BACKGROUND - THE EMBEDDING PROBLEM
In patternesque speak, the basic problem is:
Problem: You want to embed 3rd party content into another site.
Forces:
- You want the 3rd party content to have its own style
- BUT it will inherit style from the parent page
SOLUTION 1
IFrame
Works great (in fact, I’m using it in my TiddlyWiki playground app, to be documented at some point, and is similarly used in Jon Lister’s TiddlyTemplating.
The problem is you sometimes want the widget to jump out of the iframe, e.g. a ligthboxed video. So …
SOLUTION 2
Basically a CSS reset, but whereas CSS resets will only handle browser defaults, cleanSlate blats everything! This is exactly the kind of thing I was looking for when I was trying to cancel out tiddlywiki styling. In that case, I was flipping the entire page back and forth, so I could just cheat by removing stylesheets and re-add them. (Prem pointed out there’s a “disabled” attribute on style tags - true, so I should really use this instead, assuming it’s portable, which he thinks it is.)
Problems:
- Difficult to maintain CleanSlate library, because new CSS stuff and browser quirks keep coming up
- IE6 and IE7 don’t support “inherit”, so need CSS expression.
- When using Javascript to interact with CSS style properties, e.g. slideDown(), these will override CleanSlate. The solution is to set the “style” attribute with !important, but it becomes an arms race!
- Doesn’t solve iFrame security model
SOLUTION 3
Inject (aka squirt, inject; summary) content into a fresh iframe.
The content comes from the widget site. The sqwidget library injects it. This resolves the tension with wanting independent CSS on the same page. If the sqwidget library is running on the host page, it could even (potentially) lock down capabilities, i.e. do Caja-style sanitisation.
Sqwidget also does templating, using Resig’s micro-templating. (That thing’s getting to be very popular; I’m using it myself in Scrumptious via the UnderScoreJS library after @fnd gave us a talk about them.)
Also, prem is playing around with the idea of a div, with custom (data-*) attribute pointing to the third-party URL. You could put inside it “now loading” and then the script tag will pick those things up and load them.
Various points:
-
for content-squirting into the iframe, you should be setting doctype, otherwise IE will load in.
-
worth investigating use of