- From: Ian Hickson <ian@hixie.ch>
- Date: Fri, 18 Dec 2009 01:49:19 +0000 (UTC)
- To: Tyler Close <tyler.close@gmail.com>
- Cc: public-webapps <public-webapps@w3.org>
On Thu, 17 Dec 2009, Tyler Close wrote: > > Starting from the X-FRAME-OPTIONS proposal, say the response header > also applies to all embedding that the page renderer does. So it also > covers <img>, <video>, etc. In addition to the current values, the > header can also list hostname patterns that may embed the content. So, > in your case: > > X-FRAME-OPTIONS: *.example.com > Access-Control-Allow-Origin: * > > Which means anyone can access this content, but sites outside > *.example.com should host their own copy, rather than framing or > otherwise directly embedding my copy. Why is this better than: Access-Control-Allow-Origin: *.example.com ...? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 18 December 2009 01:50:03 UTC