On Thu, 17 Dec 2009, Tyler Close wrote: > > Starting from the X-FRAME-OPTIONS proposal, say the response header > also applies to all embedding that the page renderer does. So it also > covers <img>, <video>, etc. In addition to the current values, the > header can also list hostname patterns that may embed the content. So, > in your case: > > X-FRAME-OPTIONS: *.example.com > Access-Control-Allow-Origin: * > > Which means anyone can access this content, but sites outside > *.example.com should host their own copy, rather than framing or > otherwise directly embedding my copy.
Why is this better than: Access-Control-Allow-Origin: *.example.com ...? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'