I am facing an issue with mobile version of my site. The site is hosted on a different domain.
I Tracked down the issue and saw that its being caused by the being wrapped on top of my actual html code.
Here is a snippet:
<html>
<head>
<title>Where are you</title>
<meta name="robots" content="noindex, nofollow">
<meta name="description" content="Let’s your friends and family know about your where about.">
<meta name="keywords" content="Stay connected, Plan meetup, Unreachable friend, Share location, Share photos">
</head>
<frameset rows="100%">
<frameset cols="100%">
<frame src="http://wru.buttur.com" frameborder="0">
#document
</frameset>
</frameset>
</html>
My website is getting loaded inside "#document".
Can i do some configuration on my domain to prevent this from happening.
I know this is old, but I am responding because we had a similar problem where some outside entity managed a website, and we took over after it became broken.
It was a wordpress site and everything was being wrapped inside a frameset. We were baffled by the fact that direct browser requests to hosted javascript files would work fine, but within the page it would become wrapped in frames in the network response.
Even direct jQuery.getScript() calls from external sites would exhibit the scenario. Again, worked fine if typed into browser url bar.
Turns out there's something called DNS frame forwarding.
Here's a topic that covers the scenario:
https://stackoverflow.com/questions/7083391/godaddy-dns-forward-to-ip-adds-frames-to-html
Edit:
Looks like a moderator removed that post. How strange!! Too bad as well, that post had exactly the right answer with exactly the right description.
Well basically anyone coming across this, just research DNS frame forwarding. You'll find your answer there.
Terms for google:
website wrapped in frameset
javascript responds in frame
css in frame
Resource interpreted as Stylesheet but transferred with MIME type text/html
Uncaught SyntaxError: Unexpected token <
Related
I've created an test application where i look into the different defense techniques against Clickjacking and other UI redressing attacks. One of the most used techniques is the X-Frames-Options along the Frame-Busting code. What i fail to understand is the reason why the following isn't recommended, and according to OWASP: (https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet) doesn't work (Even though it works in my test applciation, i can't frame the page if the following is included)
<meta http-equiv="X-Frame-Options" content="deny">
Any explanation or link to an answer would be greatly appreciated.
Apparently this is because the META tag might not be received until information has already rendered in the subframe. This still works in browser such as Chrome and Firefox, but is ignored by IE.
According to many resources (not only your URL, but also e.g. this one) the <meta> tag should be ignored.
If your browser does not do so, that does not mean that all browsers don't do that as well. So to be on a safe side you must specify the HTTP header.
The question why so? Probably one of the reasons is the same why they tell to avoid using the following:
<meta name="robots" content="noindex" />
The reason, in my opinion, is that to get this meta tag you need to download and parse the whole page. To read the HTTP header you don't need to do so.
In this case HTTP header is just more efficient way to speed up the browser, so that could be the reason of forcing you to kill the meta tags.
I am trying to set up an iFrame to show a form from another domain within our company. And testing it in Chrome or Firefox works just fine.
The problem is, for IE 10, instead of showing the form, the browser is instead showing a blank page in the iFrame.
I've broken it down to a very simple test.html on my desktop. The Developer's Tools show that the network call not only works - but it registers loading files that are being included in the page I'm trying to call. I've even seen the debug statements in the form's javascript firing, and ajax calls running. But the iFrame is still showing blank.
I have hunted and searched and cannot figure out how to make this work.
The calling page has:
<!doctype html>
...
<DIV><iframe height="400" width="100%" src="http://my.domain.com/myForm?userName=clicky&email=cMcTesterton#domain.com"></iframe></DIV>
The called page has as its first two lines:
<%# page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%>
<!doctype html>
Which, of course, changes to simply
<!doctype html>
I am using URL binding, so there isn't an extension to speak of.
I have gone into IE's Internet Options -> Security -> Custom level ... -> miscellaneous to enable Launching Programs and files in an IFRAME and Navigate windows and frames across different domains
I can't even figure out what else to look for. It especially confuses me that according to the console, it has to be reading the page I'm trying to bring up. It just isn't showing it.
You have to configure, either (1) your site http://my.domain.com or (2) the page located in the site http://my.domain.com to send out the X-Frame-Options meta tag.
The X-Frame-Options meta tag is basically a hint to tell the browser that it's safe to render the page inside an iframe.
Option 1 - configure your webserver to send out the X-Frame-Options meta tag
<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="ALLOW-FROM http://my.otherdomain.com" />
</customHeaders>
</httpProtocol>
...
</system.webServer>
Option 2 - configure your page (the one referenced at src="http://my.domain.com/myForm?userName=clicky&email=cMcTesterton#domain.com") to send out the X-Frame-Options meta tag
<head>
<meta name="X-Frame-Options" content="ALLOW-FROM http://my.otherdomain.com">
....
</head>
Source
I got a code that refreshes the html page as per the seconds I desire. I am on an Mac and I use the TextEdit app to make the HTML file. This code works for www.apple.com but it does not work for say, https://www.bitcointalk.org or http://www.macrumors.com.
I am not sure why this is happening. All I am doing is replacing the apple URL with bitcointalk url. I know I can also do this refreshing via Safari extension, but I need this code to work.
Thanks a lot
The code I am using is:
<html>
<head>
<meta http-equiv="refresh" content="5">
</head>
<FRAMESET>
<FRAME src="http://www.apple.com/">;
</FRAMESET>
</html>
EDIT: What I am trying to do is, create this html and move it to my iPhone, so that I can do the web refresh through my phone. Right now there are only paid apps in the App store that lets you refresh a page automatically every few seconds/minute and they are not really that good.
As #esqew pointed out in their comment, the sites that aren't showing up forbid access via frames by setting the X-Frame-Options HTTP header to DENY or SAMEORIGIN.
See https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
Is there a configuration somewhere in Apache server that causes all pages to be in a Frame? I can't seem to figure it out.
<html>
<head>
<title>Platform</title>
<meta name="keywords" content="Platform">
</head>
<frameset rows="100%,*" border="0">
<frame src="http://someURL" frameborder="0">
<frame frameborder="0" noresize="">
</frameset>
<!-- pageok -->
<!-- 01 -->
<!-- -->
</html>
It essentially takes the meta tag out and use it for parent page and have everything else in the content of the page in the Frame.
Please let me know if you have any idea. I can't reproduced it locally on my laptop so I figured there has to be some configuration that doesn't match, but I have no idea where to even start looking. The same configuration for reverse proxy is used.
Is there a configuration somewhere in Apache server that causes all pages to be in an iFrame?
Not that I've ever heard of.
This sort of framing is typical of sites that have bought a domain name and are using it via Masking instead of using proper DNS hosting.
Am I missing something?? This code, which I think is fine, comes up with an empty page. If you change one of the URLs to facebook.com, that won't load either. Are Google, Amazon and Facebook all blocking their site from showing if it's in a frameset? (Why wouldn't they just bust out?) Or is my HTML flawed?
<html>
<head>
<title>Test</title>
</head>
<FRAMESET ROWS="71, *" FRAMEBORDER=NO FRAMESPACING=0 BORDER=0>
<FRAME SRC="http://google.com">
<FRAME SRC="http://www.amazon.com/dp/0307951529?tag=fw-book-20" name='btm'>
</FRAMESET>
</html>
They're blocking frames using x-frame-options. If you view their response headers you'll see this:
x-frame-options SAMEORIGIN
This works regardless if JavaScript is enabled. However, it does require a relatively modern browser as listed on the MDN page I linked to.
My suggestion, find a more elegant way to do what you're trying to accomplish without using frames. Frames are evil and have created some of the most evil webApps out there. Please refrain, and let us help you find a better way to solve what ever problem it is you're trying to solve by using frames.
I even support properly used iFrames, but not famesets...