2011/1/9 Jérémie Roquet <arkanosis(a)gmail.com>om>:
True, but it appears that setting document.domain to
the same value
for both subdomains (ie. 'wikipedia.org') is enough to have the same
origin. [1]
That's what I was already doing for iKiwi and xmsg to work, because
without this, most browsers already enforce the same origin policy for
DOM manipulations inside (i)frames. With it, it works fine, even with
the NoScript addon.
Ah, right.
Thanks for the tip, I never heard about this before.
However, reading
the description at MDN [2], I'm afraid it doesn't address the current
issue at all because it requires two windows to communicate together
(which is exactly what X-Frame-Options forbids).
That would have allowed to make cross-domain requests (eg. between
Wikipedia and Wikimedia Commons), but with X-Frame-Options I'm afraid
it's just as useless as the iframe hack.
Hmm, right.
- Taking the document.domain trick into account ⇒
would setting
X-Frame-Options to SAMEORIGIN instead of DENY allow frames between
/sub/domains?
I don't see any detailed documentation for X-Frame-Options anywhere.
It looks like IE8 made it up with no detailed spec and other browsers
copied the general idea still with no detailed spec. So I don't know,
sorry.