Reputation: 89
what is better? using iframe or something like jquery to load an html file in external website
I want my customers create their own HTML on my web application and copy and paste my code to their website to showing the result in the position with customized size and another options in page that they want. the output HTML of my web application contain HTML tags and JavaScript codes (for example is a web chart that created with javascript).
I found two way for this. one using iframe and two using jquery .load().
What is better and safer? Is there any other way?
Upvotes: 1
Views: 412
Answers (1)
Reputation: 16456
iframe is better - if you are running Javascript then that script shouldn't execute in the same context as your user's sites: you are asking for a level of trust here that the user shouldn't need to accede to, and your code is all nicely sandboxed so you don't have to worry about the parent document's styles and scripts.
As a front-end web developer and webmaster I've often taken the decision myself to sandbox third-party code in iframes. Below are some of the reasons I've done so:
- Script would play with the DOM of the document. Once a third-party widget took it upon itself to introduce buggy and performance-intensive PNG fix hacks for IE across every PNG used in
imgtags and CSS across our site. - Many scripts overwrite the global
onloadevent, robbing other scripts of their initialisation trigger. - Reading local session info and sending it back to their own repositories.
- Loading any number of resources and perform CPU-intensive processes, interrupting and weighing down my site's core experience.
The above are all examples of short-sightedness or malice on the part of the third parties you may see yourself as above, but the point is that as one of your service's users I shouldn't need to take a gamble. If I put your code in an iframe, I know it can happily do its own thing and not screw with my site or its users. I can also choose to delay load and execution to a moment of my choosing (by dynamically loading the iframe at a moment of choice).
To argue the point in terms of your convenience rather than the users':
- You don't have to worry about any of the trust issues associated with XSS. You can honestly tell your users they're not exposing themselves to any unnecessary worry by running your tool.
- You don't have to make the extra effort to circumvent the effects of CSS and JS on your users' sites.
Upvotes: 2
Related Questions
- Should I use iframes to load external html?
- When to use iframe, ajax() or load()?
- Load content and the separate the content V/S load iframe?
- iframe versus div + jquery
- Load External Cross Domain HTML Content in iFrame vs. from Asynchronously JavaScript?
- iFrame or a remote JS File
- Main web document vs iframe script
- Iframe v/s external js (to show my website's content on other websites)
- Loading external content with jquery or iframe?