I stand by that iframes had their place, even if the backend devs absolutely hated them.
They still have their place; for example to embed Google Maps or a YouTube video. Generally, whenever you want to embed something from a different website you have no control over, that shouldn’t inherit your style sheets, and should be sandboxed to prevent cross site scripting attacks.
Are iframes really sandboxed in different processes than the main frame? On which browsers?
Iframes cannot access the main frame’s DOM if the iframe is from a different origin than the main frame, and they never share the same JavaScript execution context, so an iframe can’t access the main frame’s variables etc.
It’s not required that iframes run in a different process, but I think they do at least in Chrome and Firefox if they’re from a different origin. Also, iframes with the
sandbox
attribute have a number of additional restrictions, which can be individually disabled when needed.
Running each app component in it’s own iframe is perfectly valid microservices architecture change my mind.
I believe Kingdom of Loathing used iframes extensively to achieve what looked like a “dynamic” page long before that was a thing.
Seems to me they were mostly used to put content inside a scrollable element. Their place has mostly been taken by overflow:auto hasn’t it? I think this is the better way.