x-frame-options header set but can stilll embed in iframe? - html

The x-frame-options header is confirmed as set to SAMEORIGIN, but when creating a simplistic local HTML file e.g.
<html>
<head>
<title>Clickjack test page</title>
</head>
<body>
<p>Website is vulnerable to clickjacking!</p>
<iframe src="http://www.yoursite.com/sensitive-page" width="500" height="500">
</iframe>
</body>
</html>
and attempting to embed the target page i'm able to do so without issue.
What could be causing this?
Thanks

Some reasons I can think of:
Page is being loaded from the same origin, hence allowed.
"X-Frame-Options" or "SAMEORIGIN" is not spelled correctly and hence ignored.
Content-Security-Policy frame-ancestors directive is more permissive and X-Frame-Options is ignored when it is set. If this is the case it should be blocked in IE which doesn't understand Content-Security-Policy.
Your browser is more lenient with local files.

Related

Unable to load an URL using iFrame because of Content Security Policy

<!DOCTYPE html>
<html>
<body>
<iframe src="URL">
<p>Your browser does not support iframes.</p>
</iframe>
</body>
</html>
I am using the above code to load the url inside iFrame and i am getting below error:
Refused to display 'URL' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors https://inteliapp-stage.grymatter.com URL1 URL2 URL3 URL4 URL5 URL6 URL7
http://18.233.166.250 https://18.233.166.250 cdn.jsdelivr.net".
For security reason, i am not able to mention the exact URLs. I want to know what should i add inside meta tag for content security Policy to resolve the problem? If we cant resolve the problem then how we can load the url inside html code.Please help me out. Thanks in advance.
The page you're trying to put in the frame has the policy that's being violated. There isn't any way to weaken CSP rules once sent; so unless you can modify the source of the framed page, there's not much you can do here.
You may be able to use an alternate method, such as doing an HTTP call in the background to fetch the content of that page, and manually insert that content into your page.

How do I use the HTML IFRAME element to embed content?

<!DOCTYPE html>
<html>
<head>
<title>My favorite app</title>
</head>
<body>
<iframe src="https://stackoverflow.com/questions/36047483/parsing-a-websites-
html-tags-in-iframe"></iframe>
<div class="title">My App</div>
<div class="app">
<div class="image"><img src="images/app.png" alt="this is a
screenshot" class="image"></div>
</div>
</body>
</html>
i tried to use iframe tag but it doesn't work and a blank section is appeared as that image.
the blank section that appears to me in the browsers.
That's because Stack Overflow disallows use inside a frame by setting X-Frame-Options to sameorigin...
So only is allowed as iframe inside Stack Overflow itself, not from your code.
Long version:
When your browser try to access that URL from Stack Overflow, Stack Overflow returns some headers, one of them is X-Frame-Options: sameorigin, that instructs your browser to disallow to display that URL inside an IFrame, so your browser refuse to do it.
Its a SO server config (you can't do anything about it).
The Stack Overflow page you reference in the src attribute is not displayed in the iframe element because the Stack Overflow site implements an iframe blocking policy. In order to do this, it uses the X-Frame-Options. (See also how to block website from loading in iframe?.)
You can check whether a site implements this policy by inspecting its HTTP headers. For example, in Firefox, press F12 to open the inspection tools, then go to Network, select one of the objects that were sent over HTTP and look at the headers (or filter the headers for e.g. "x-frame"). Below is what this looks like for the URL you tested:
Notice x-frame-options: SAMEORIGIN in the lower right part of the screenshot. With x-frame-options: SAMEORIGIN or x-frame-options: DENY set on the server side, you will not be able to load pages from that site inside an iframe or a frame.
For more background, see X-Frame-Options – How to Combat Clickjacking, which also explains other values that can be used in the x-frame-options header.
If you want to test with a webpage from a server that does not block loading in iframes, try for example https://wiki.archlinux.org/index.php/Tomcat.

<iframe> is not working

I'm making a simple html page which is require an <iframe> to show a specific area of the page. I used iframe so many times but this time I don't know what I'm doing wrong...
Please take a look at my code and help me!
HTML
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Iframe Test</title>
</head>
<body>
<iframe src="https://www.secure-booker.com/sorelle/ShopOnline/Products.aspx" width="1000" height="1000" frameborder="0"></iframe>
</body>
</html>
The page you are trying to embed in the iframe blocks itself from being embedded.
You can see this if you open your browser's console (F12) and select the "Console" tab.
Refused to display 'https://www.secure-booker.com/sorelle/ShopOnline/Products.aspx' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' http://*.sorellechicago.com sorellechicago.com *.sorellechicago.com".
TL;DR: It's not possible.
You are not allowed to iFrame this Website. because they have set the following.
'X-Frame-Options' to 'SAMEORIGIN'.
You can find this from your console.
Refused to display 'https://www.secure-booker.com/sorelle/ShopOnline/Products.aspx' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' http://*.sorellechicago.com sorellechicago.com *.sorellechicago.com".
How to set this options?
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
How to set 'X-Frame-Options' on iframe?
X-Frame-Options on apache
One more note (FYI) : AFAIK, there is one more thing called Frame Buster Code to prevent other domain to iFrame the site. Below is the reference URLs:
https://en.wikipedia.org/wiki/Framekiller
https://davidwalsh.name/javascript-framebuster
Frame Buster Buster ... buster code needed
Its a part of Clickjacking as well. Refer the below URL as well.
1. https://en.wikipedia.org/wiki/Clickjacking

Why doesn't <iframe> work properly for me?

I have a simple bit of HTML code:
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>iframe Practice</title>
</head>
<body>
<div>
<iframe src="//embed.gettyimages.com/embed/183351352?et=dbA2ZDFzQUqFbu8nRMfGww&sig=ozPqnsmwjm88sptsMM2UVS70lzd2ci-9q27BF6R0TzU=" width="507" height="407" frameborder="0" scrolling="no"></iframe>
</div>
</body>
</html>
When saved with .html extension and opened in a multiple browsers, I get a message saying "The file or directory could not be found." This is a very silly question, can somebody help me out with this?
Thanks!
You are using a scheme relative URI (one that begins with //).
This preserves the current scheme, so the content will load if you view it in a document hosted on http: or https: (normally you would get a security error if you tried to load an https: document into an http: document or vice versa).
You appear to not be using a web server, so you are trying to access the document via file: where it is not available.
You can either use an explicit scheme (replace // with http://) or do your testing on a web server (you can install one on your development system).
I'd generally recommend picking the latter option, there are many issues that crop up when you are testing documents on file: and using a development server bypasses them all.
Simply "//embed... in the iframe element's src property to http://embed....
<iframe src="http://embed.gettyimages.com/embed/183351352?et=dbA2ZDFzQUqFbu8nRMfGww&sig=ozPqnsmwjm88sptsMM2UVS70lzd2ci-9q27BF6R0TzU=" width="507" height="407" frameborder="0" scrolling="no"></iframe>
Are you trying to load the file locally with file://xxxxxxx You can not load and iframe this way you need to run it with a web server

Search Engines & iFrame

I have a very basic html, supposingly
<html>
<body>
<iframe src="http://www.google.com">
<p>Your browser does not support iframes.</p>
</iframe>
</body>
</html>
When I render the page with Google/Yahoo as a source address there is no display. This is what I see in firebug
<iframe src="http://www.google.com">
<html>
<head></head>
<body></body>
</html>
</iframe>
If I am doing something wrong please correct else please provide any authentic documentation if search englines have blocked iframes. Would really appreciate.
p.s You can try the above example on W3Schools too.
You cannot bypass it in browsers , they will simply refuse to display websites in iframe that send a
X-Frame-Options header with DENY or SAMEORIGIN . It doesn't even come down to javascript.
For more read on ClickJacking and X-Frame-Options
what google says about iframe, read Here
refer to Avoid iFrames - or link to their content separately...
With javascript you can easily find out if your site is displayed inside a frameset/IFrame or if it is stands alone:
<script type="text/javascript">if(self!=top){/*I am framed*/}</script>
Probably Google has this code in one of its scripts, and when it finds out that its site is inside a foreign frame, it deletes its content.
With the same simple trick a html page can break out of every frame:
<script type="text/javascript">
if(self!=top){
top.location.replace(self.location.href);
}
</script>
If you want to try out this break-free-trick, replace in your code www.google.com with the url of my site: wissen.schoelnast.at (it is in German)