- From: Bil Corry <bil@corry.biz>
- Date: Fri, 20 Feb 2009 12:36:47 -0600
Sigbj?rn Vik wrote on 2/20/2009 8:46 AM: > One proposed way of doing this would be a single header, of the form: > x-cross-domain-options: deny=frame,post,auth; AllowSameOrigin; > allow=*.opera.com,example.net; > This incorporates the idea from the IE team, and extends on it. Have you taken a look at ABE? http://hackademix.net/wp-content/uploads/2008/12/abe_rules_03.pdf > For cross-domain resources, this means that a browser would first have > to make a request with GET and without authentication tokens to get the > x-cross-domain-options settings from the resource. If the settings > allow, a second request may be made, if the second request would be > different. The result of last request are handed over to the document. Have you considered using OPTIONS for the pre-flight request, similar to how Access Control for Cross-Site Requests does it? http://www.w3.org/TR/access-control/#cross-site2 - Bil
Received on Friday, 20 February 2009 10:36:47 UTC