phranque - 2:20 am on Jun 18, 2011 (gmt 0)
I am wondering if this works cross-domain? Because it could be a heaven for hackers - it is bad enough searching for canonical insertion in your html via view source, but now it seems we would have to inspect headers too ?
assuming it's implemented as is the link rel canonical, it works cross-domain.
About rel="canonical" - Webmaster Tools Help:
not sure how easy it would be to inject HTTP headers without access to the server.
also, the link rel canonical only works in the <head>, not in the <html> section of a text/html document, which reduces the possibility of canonical injection through UGC.