phranque - 2:20 am on Jun 18, 2011 (gmt 0)

I am wondering if this works cross-domain? Because it could be a heaven for hackers - it is bad enough searching for canonical insertion in your html via view source, but now it seems we would have to inspect headers too ?

assuming it's implemented as is the link rel canonical, it works cross-domain.
About rel="canonical" - Webmaster Tools Help:
http://www.google.com/support/webmasters/bin/answer.py?answer=139394 [google.com]

not sure how easy it would be to inject HTTP headers without access to the server.

also, the link rel canonical only works in the <head>, not in the <html> section of a text/html document, which reduces the possibility of canonical injection through UGC.