- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 11 Aug 2010 19:39:19 +0200
On Wed, 11 Aug 2010 19:03:28 +0200, Adam Barth <w3c at adambarth.com> wrote: > On Wed, Aug 11, 2010 at 8:05 AM, Markus Ernst <derernst at gmx.ch> wrote: >> A solution at authoring level for cases where the author controls both >> pages >> would be quite helpful. I think of a meta element in the embedded >> document >> that specifies one or more domains that are allowed to embed it >> seamlessly >> in an iframe, such as e.g.: >> <meta name="allow-seamless-embedding" name="domain.tld, >> otherdomain.tld"> >> >> I think that this would be ok from a security POV, and much easier than >> using CORS. > > That feels like re-inventing CORS. Maybe we should make CORS easier > to use instead? What exactly is hard about it? (Though I should note we should carefully study whether using CORS here is safe and sound. For instance, you may want to allow seamless embedding, but not share content.) -- Anne van Kesteren http://annevankesteren.nl/
Received on Wednesday, 11 August 2010 10:39:19 UTC