A look at the weird ass bit of the browser Remy Sharp • @rem • Left Logic

No content

2008: 1.jsbin.com

2010: 2.jsbin.com

2012: 3.jsbin.com

No content

Amazingly still work!

Scott Isaacs @ Microsoft 1997

iframe support dropped in XHTML 1.1 Lack of support in IE7 meant iframes stuck around.

document.head.appendChild

Foundation of early comet techniques 2000/2006 var iframe = document.createElement('iframe'); iframe.style.display = 'none'; document.head.appendChild(iframe); iframe.src = '/live-stream'; require('http').createServer(function (req, res) { res.writeHead(200, { 'content-type': 'text/html' }); res.write(sendPadding()); setInterval(function () { res.write(getLiveData()); }, 1000); });

2007: detect globals 2008: jsbin 2010: jsconsole 2011: responsivepx

Let's explore this ugly mutha.

Samsung S3 phone wipe

Auto-play iOS 4 only :(

iframe must be in DOM to start writing to it var window = iframe.contentWindow || iframe.contentDocument.parentWindow;

function iframe() { var iframe = document.createElement('iframe'); document.body.appendChild(iframe); return iframe.contentWindow || iframe.contentDocument.parentWindow; } var window = iframe(), document = window.document; document.open(); document.write(myAwesomeHTML); document.close();

Load won't fire until .close is called - though content loads.

Take a generated iframe out of the DOM, it'll reset

Dynamic iframes ignore the mime type that should prevent assets loading...

Web Previews

WebKit browser don't have innerWidth/Height until next tick

var iframedelay = (function () { var iframedelay = { active : false }, iframe = document.createElement('iframe'), doc, callbackName = '__callback' + (+new Date); iframe.style.height = iframe.style.width = '1px'; iframe.style.visibility = 'hidden'; document.body.appendChild(iframe); doc = iframe.contentDocument || iframe.contentWindow.document; window[callbackName] = function (width) { iframedelay.active = width === 0; try { iframe.parentNode.removeChild(iframe); delete window[callbackName]; } catch (e){}; }; try { doc.open(); doc.write('window.parent.' + callbackName + '(window.innerWidth)'); doc.close(); } catch (e) { iframedelay.active = true; } return iframedelay; }());

Nuke blocking methods (before JS runs, then restore)

Opera + iframe + alert = suppressed

Remove autofocus

Cancel focus event

Consider restoring the scroll position

Detecting globals

PhoneGap

Custom API out of JavaScript embeds

x-domain comms

For bi-directional non- sockets comms

Used in jsconsole's remote

your mobile site add iframe origin: jsconsole.com jsconsole.com postMessage & onmessage EventSource Ajax post

Also fake live reload - but it didn't work - sorta viewport is ignored in iframes

document.domain

Comet, duh.

iframe a.com - iframe b.com -- iframe a.com

Passing data before load event via: window.name

Click-jacking

Now preventable in IE9+ via X-Frame-Options: SAMEORIGIN

Enable appcache on unknown urls

•Request / == "app chrome" •All other urls include iframe to light manifest page •Manifest says: FALLBACK: /* / •Therefore: any request to an unknown url, the "app chrome" will load via the fallback

Theory: iframe + appcache for offline assets

Future / Now / Good Parts • postMessage/onMessage • seamless • srcdoc • sandbox="allow-same-origin allow-forms allow-scripts" http://benvinegar.github.com/seamless-talk/

Cheers. Remy Sharp • @rem • Left Logic talk for 2013 anyone?