2011/1/8 Jérémie Roquet <arkanosis(a)gmail.com>om>:
Both of them use a trick with an iframe to allow
javascript requests
across the
wikipedia.org subdomains (something that is not possible
using AJAX).
It would be possible if we started using CORS, at least in recent
enough browsers.
- Does anybody know if having X-Frame-Options set to
SAMEORIGIN would
allow such tricks while still preventing clickjacking attacks from
other domains (the actual question is: `would it work'?)
en.wikipedia.org is not the same origin as
fr.wikipedia.org.
Any other idea on how to make such tools work again
would of course be
highly appreciated.
I'm not very knowledgeable in this sort of thing, I'm afraid. HTML5's
postMessage() might be useful.