<portal> is an experiment/pet project pushed (and only implemented!) by one browser vendor, which as far as I know remains feature flagged.
It was shipped behind a flag with an initial implementation vulnerable to a same origin policy bypass as well as local file disclosure. As far as I can tell the only reason it wasn't assigned a Moz standards position of "harmful" is because Google argued "it's actually still a work in progress!" (three years ago).
The behavior of the object element is to use its child nodes as fallback content in the event that the resource cannot be loaded, similar to the the treatment of images' alt attributes for images that fail to load. This isn't to say that this protects against a determined adversary (who might then chose not to return HTTP 404/410 and instead HTTP 200), but the mechanism is there.
iframe is loading a whole page with script permissions (and sandboxed). it seems there isnt any tag for adding a remote snippet of html, like you can do with ajax
What do you mean by "remote snippet of html"? An iframe loads whatever's on the other end of the src URL. If that's a "whole page", then it loads a whole page. If it's just a "snippet" of content, then it loads that. Any snippet you think of can be loaded by iframe exactly as described. The only hitch, really, is that it's always treated as block-level content instead of CSS-style "inline" flow-level content, but that's clearly not relevant to the use case at hand—embedded tweets are already block-level.
It's not clear what you're asking for. (E.g. do you want that snippet not to be sandboxed?)
iframe is a full page. i mean some HTML code, a div or some text or a table etc. the kind of things we load with Ajax. The equivalent of <img>, but for HTML content : <remotehtml src="https://twitter.com/snip/12345678" />
This isn't really any clearer than your earlier comment.
> iframe is a full page.
An iframe loads whatever you give it. If you give it a URL to a "full page"/"whole page", then it loads that. If the URL leads to e.g. "a div" or "a table", then that will be loaded. That's under the control of the person who's putting stuff on the other end of the URL. To repeat, there is exactly one case where this doesn't hold up: when you want the loaded content to be inline and not block-level (e.g. "some text"—and if inline content is what you meant, then you should say that instead of just giving another vague response; again, though, even if that is what you want, how would that be relevant to the use case we're talking about here: embedding tweets?)
it doesnt inherit style etc. it s also a completely different document for scripting purposes. it s also rather heavy, hard to have 100 iframes in a page