On 10/01/11 01:23, Jérémie Roquet wrote:
- Taking the document.domain trick into account ⇒ would setting
X-Frame-Options to SAMEORIGIN instead of DENY allow frames between /sub/domains?
No, SAMEORIGIN does not allow framing from say en.wikipedia.org to fr.wikipedia.org. It only allows framing within the exact same domain.
http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjac...
"For instance, if http://shop.example.com/confirm.asp contains a DENY directive, that page will not render in a subframe, no matter where the parent frame is located. In contrast, if the X-FRAME-OPTIONS directive contains the SAMEORIGIN token, the page may be framed by any page from the exact http://shop.example.com origin."
-- Tim Starling