Intent to Ship: Responsively-sized <iframe>

Koji Ishii

unread,

May 14, 2026, 5:43:41 AMMay 14

to blink-dev, Chris Harrelson, Ian Kilpatrick

Contact emails

chri...@chromium.org, ko...@chromium.org, ikilp...@chromium.org

Explainer

https://github.com/w3c/csswg-drafts/blob/main/css-sizing-4/responsive-iframes-explainer.md

Specification

https://drafts.csswg.org/css-sizing-4/#responsive-iframes

Summary

Allow sites to opt into iframes having responsive sizing (sizing the <iframe> element in the parent document to the iframe document's layout overflow sizing, so that scrolling in the child document is avoided).

Blink component

Blink>Layout

Web Feature ID

Missing feature

Motivation

This is a natural feature to have for iframes, when the site wants to render the iframe content so that it looks seamless with the parent frame and avoids scrollbars.

Initial public proposal

https://github.com/whatwg/html/issues/555

TAG review

https://github.com/w3ctag/design-reviews/issues/1223

TAG review status

Pending

Goals for experimentation

None

Risks

Interoperability and Compatibility

No information provided

Gecko: No signal (https://github.com/mozilla/standards-positions/issues/1394)

WebKit: No signal (https://github.com/WebKit/standards-positions/issues/653)

Web developers: No signals Plenty of developer demand is expressed in the feature request standards issues: https://github.com/whatwg/html/issues/555 https://github.com/w3c/csswg-drafts/issues/1771 https://github.com/w3c/csswg-drafts/blob/main/css-sizing-4/responsive-iframes-explainer.md#use-cases

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

No information provided

Debuggability

No information provided

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

Yes

Is this feature fully tested by web-platform-tests?

Yes
https://wpt.fyi/results/css/css-sizing/responsive-iframe?label=experimental&label=master&aligned

Flag name on about://flags

responsive-iframes

Finch feature name

ResponsiveIframes

Rollout plan

Will ship enabled for all users

Requires code in //chrome?

False

Tracking bug

https://issues.chromium.org/issues/418397278

Estimated milestones

Shipping on desktop	150
Shipping on Android	150
Shipping on WebView	150

Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).

https://github.com/w3c/csswg-drafts/issues/13589 - cross-origin case left a possibility of change: "RESOLVED: Check with security folks whether cross-origin case leaking info is an issue that needs mitigation"

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5108373464547328?gate=5102892096421888

Links to previous Intent discussions

Intent to Prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/682bb3fa.2b0a0220.146035.00b7.GAE%40google.com

This intent message was generated by Chrome Platform Status.

Mike Taylor

unread,

May 17, 2026, 9:40:23 PMMay 17

to Koji Ishii, blink-dev, Chris Harrelson, Ian Kilpatrick

On 5/14/26 5:43 a.m., Koji Ishii wrote:

Contact emails
chri...@chromium.org, ko...@chromium.org, ikilp...@chromium.org

Explainer
https://github.com/w3c/csswg-drafts/blob/main/css-sizing-4/responsive-iframes-explainer.md

Specification
https://drafts.csswg.org/css-sizing-4/#responsive-iframes

I see there's also an open PR to define the meta element https://github.com/whatwg/html/pull/12444

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHe_1dKm%3DLFTKhRKHV9m4fJsqYnw6M0YwGP63DNg%3DkUcv%2BAeQQ%40mail.gmail.com.

Alex Russell

unread,

May 18, 2026, 2:40:55 PMMay 18

to blink-dev, Mike Taylor, Chris Harrelson, Ian Kilpatrick, Koji Ishii

In case nobody else says it, this is an *incredible* addition to the platform. Thank you so much for making it happen.

LGTM1, pending resolution to the spec PRs.

On Sunday, May 17, 2026 at 6:40:23 PM UTC-7 Mike Taylor wrote:

On 5/14/26 5:43 a.m., Koji Ishii wrote:

Contact emails
chri...@chromium.org, kojii@chromium.org, ikilpatrick@chromium.org

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Vladimir Levin

unread,

May 20, 2026, 10:08:12 AMMay 20

to Alex Russell, blink-dev, Mike Taylor, Chris Harrelson, Ian Kilpatrick, Koji Ishii

From the explainer, the defense against malicious sites embedding an opted-in frame is mitigated by `X-Frame-Options`, but I suspect it's `Content-Security-Policy: frame-ancestors` that's needed here for cross-origin allowed embeds. Is that right?

Also the explainer mentions that possibly there's ideas to change the meta tag itself:

> Additional restrictions could be put in place through contents of the <meta> tag that would restrict to only explicitly allowed origins.

Out of curiosity, is this being pursued in future work or is CSP deemed enough?

Thanks!

Vlad

On Mon, May 18, 2026 at 2:40 PM Alex Russell <sligh...@chromium.org> wrote:

In case nobody else says it, this is an *incredible* addition to the platform. Thank you so much for making it happen.

LGTM1, pending resolution to the spec PRs.

On Sunday, May 17, 2026 at 6:40:23 PM UTC-7 Mike Taylor wrote:

On 5/14/26 5:43 a.m., Koji Ishii wrote:

Contact emails
chri...@chromium.org, ko...@chromium.org, ikilp...@chromium.org

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHe_1dKm%3DLFTKhRKHV9m4fJsqYnw6M0YwGP63DNg%3DkUcv%2BAeQQ%40mail.gmail.com.

--

You received this message because you are subscribed to the Google Groups "blink-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/aa96be3c-2a10-47e5-b4f4-2416625bbf3an%40chromium.org.

Koji Ishii

unread,

May 25, 2026, 4:52:19 AM (9 days ago) May 25

to Vladimir Levin, Alex Russell, blink-dev, Mike Taylor, Chris Harrelson, Ian Kilpatrick

2026年5月20日(水) 23:07 Vladimir Levin <vmp...@chromium.org>:

From the explainer, the defense against malicious sites embedding an opted-in frame is mitigated by `X-Frame-Options`, but I suspect it's `Content-Security-Policy: frame-ancestors` that's needed here for cross-origin allowed embeds. Is that right?

I think you're right, I'll update the explainer. Thanks for catching.

Also the explainer mentions that possibly there's ideas to change the meta tag itself:
> Additional restrictions could be put in place through contents of the <meta> tag that would restrict to only explicitly allowed origins.

Out of curiosity, is this being pursued in future work or is CSP deemed enough?

I expect to extend this feature further after the initial ship, as I see even more interest from web authors than I expected. How it would be done is still not determined yet.

一丝

unread,

May 26, 2026, 5:21:18 AM (8 days ago) May 26

to blink-dev, ko...@chromium.org, sligh...@chromium.org, blink-dev, mike...@chromium.org, Chris Harrelson, ikilp...@chromium.org, vmp...@chromium.org

Hi Koji,

This is absolutely amazing—it addresses a long-standing pain point on the web.

Currently, many pages feature feed streams that load as the user scrolls. Does the current implementation support pages with dynamically changing heights like this? I noticed the `window.requestResize()` method in the specification, but I’m not sure if it can handle this scenario. Could you add some clarification to the explainer?

Vladimir Levin

unread,

May 26, 2026, 4:02:02 PM (8 days ago) May 26

to 一丝, blink-dev, ko...@chromium.org, sligh...@chromium.org, mike...@chromium.org, Chris Harrelson, ikilp...@chromium.org

Thank you for your replies. I'm happy to delegate to Privacy and WP Security reviews on the subject of whether CSP is sufficient to prevent malicious cases. I am curious of the results, do you know if the discussion is ongoing and/or reaching a resolution?

LGTM2. However, please make sure both Privacy and WP Security gates are fully complete before enabling this (as should be the case anyway :) )

Thanks!

Vlad

--

You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/49ffe305-788a-4df7-b394-2a96ca96f28fn%40chromium.org.

Mike Taylor

unread,

May 28, 2026, 4:30:26 PM (6 days ago) May 28

to Vladimir Levin, 一丝, blink-dev, ko...@chromium.org, sligh...@chromium.org, Chris Harrelson, ikilp...@chromium.org

LGTM3, with the same note as Vlad - let's make sure Security & Privacy gates are approved before shipping.

Reply all

Reply to author

Forward