2011/1/8 Jérémie Roquet arkanosis@gmail.com:
Both of them use a trick with an iframe to allow javascript requests across the wikipedia.org subdomains (something that is not possible using AJAX).
It would be possible if we started using CORS, at least in recent enough browsers.
- Does anybody know if having X-Frame-Options set to SAMEORIGIN would allow such tricks while still preventing clickjacking attacks from other domains (the actual question is: `would it work'?)
en.wikipedia.org is not the same origin as fr.wikipedia.org.
Any other idea on how to make such tools work again would of course be highly appreciated.
I'm not very knowledgeable in this sort of thing, I'm afraid. HTML5's postMessage() might be useful.