On 10/01/11 01:23, Jérémie Roquet wrote: > - Taking the document.domain trick into account ⇒ would setting > X-Frame-Options to SAMEORIGIN instead of DENY allow frames between > /sub/domains?
No, SAMEORIGIN does not allow framing from say en.wikipedia.org to fr.wikipedia.org. It only allows framing within the exact same domain. http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx "For instance, if http://shop.example.com/confirm.asp contains a DENY directive, that page will not render in a subframe, no matter where the parent frame is located. In contrast, if the X-FRAME-OPTIONS directive contains the SAMEORIGIN token, the page may be framed by any page from the exact http://shop.example.com origin." -- Tim Starling _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
