On Wed, 11 Aug 2010 19:03:28 +0200, Adam Barth <[email protected]> wrote:
On Wed, Aug 11, 2010 at 8:05 AM, Markus Ernst <[email protected]> wrote:
A solution at authoring level for cases where the author controls both
pages
would be quite helpful. I think of a meta element in the embedded
document
that specifies one or more domains that are allowed to embed it
seamlessly
in an iframe, such as e.g.:
<meta name="allow-seamless-embedding" name="domain.tld,
otherdomain.tld">
I think that this would be ok from a security POV, and much easier than
using CORS.
That feels like re-inventing CORS. Maybe we should make CORS easier
to use instead?
What exactly is hard about it?
(Though I should note we should carefully study whether using CORS here is
safe and sound. For instance, you may want to allow seamless embedding,
but not share content.)
--
Anne van Kesteren
http://annevankesteren.nl/
