On 10/01/11 01:23, Jérémie Roquet wrote:
>  - Taking the document.domain trick into account ⇒ would setting
> X-Frame-Options to SAMEORIGIN instead of DENY allow frames between
> /sub/domains?

No, SAMEORIGIN does not allow framing from say en.wikipedia.org to
fr.wikipedia.org. It only allows framing within the exact same domain.

http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx

"For instance, if http://shop.example.com/confirm.asp contains a DENY
directive, that page will not render in a subframe, no matter where
the parent frame is located. In contrast, if the X-FRAME-OPTIONS
directive contains the SAMEORIGIN token, the page may be framed by any
page from the exact http://shop.example.com origin."

-- Tim Starling


_______________________________________________
Wikitech-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Reply via email to