On 10/01/11 01:23, Jérémie Roquet wrote:
- Taking the document.domain trick into account ⇒
would setting
X-Frame-Options to SAMEORIGIN instead of DENY allow frames between
/sub/domains?
No, SAMEORIGIN does not allow framing from say
en.wikipedia.org to
fr.wikipedia.org. It only allows framing within the exact same domain.
http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickja…
"For instance, if
http://shop.example.com/confirm.asp contains a DENY
directive, that page will not render in a subframe, no matter where
the parent frame is located. In contrast, if the X-FRAME-OPTIONS
directive contains the SAMEORIGIN token, the page may be framed by any
page from the exact
http://shop.example.com origin."
-- Tim Starling