2011/1/9 Jérémie Roquet arkanosis@gmail.com:
True, but it appears that setting document.domain to the same value for both subdomains (ie. 'wikipedia.org') is enough to have the same origin. [1] That's what I was already doing for iKiwi and xmsg to work, because without this, most browsers already enforce the same origin policy for DOM manipulations inside (i)frames. With it, it works fine, even with the NoScript addon.
Ah, right.
Thanks for the tip, I never heard about this before. However, reading the description at MDN [2], I'm afraid it doesn't address the current issue at all because it requires two windows to communicate together (which is exactly what X-Frame-Options forbids). That would have allowed to make cross-domain requests (eg. between Wikipedia and Wikimedia Commons), but with X-Frame-Options I'm afraid it's just as useless as the iframe hack.
Hmm, right.
- Taking the document.domain trick into account ⇒ would setting X-Frame-Options to SAMEORIGIN instead of DENY allow frames between /sub/domains?
I don't see any detailed documentation for X-Frame-Options anywhere. It looks like IE8 made it up with no detailed spec and other browsers copied the general idea still with no detailed spec. So I don't know, sorry.