2011/1/9 Jérémie Roquet <[email protected]>: > True, but it appears that setting document.domain to the same value > for both subdomains (ie. 'wikipedia.org') is enough to have the same > origin. [1] > That's what I was already doing for iKiwi and xmsg to work, because > without this, most browsers already enforce the same origin policy for > DOM manipulations inside (i)frames. With it, it works fine, even with > the NoScript addon.
Ah, right. > Thanks for the tip, I never heard about this before. However, reading > the description at MDN [2], I'm afraid it doesn't address the current > issue at all because it requires two windows to communicate together > (which is exactly what X-Frame-Options forbids). > That would have allowed to make cross-domain requests (eg. between > Wikipedia and Wikimedia Commons), but with X-Frame-Options I'm afraid > it's just as useless as the iframe hack. Hmm, right. > - Taking the document.domain trick into account ⇒ would setting > X-Frame-Options to SAMEORIGIN instead of DENY allow frames between > /sub/domains? I don't see any detailed documentation for X-Frame-Options anywhere. It looks like IE8 made it up with no detailed spec and other browsers copied the general idea still with no detailed spec. So I don't know, sorry. _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
