I have a website which is hosted via my providers webhosting.
I have bought another domainname and forwarded my current website to it.
The technique it uses is cloacking, so my old website is a frame in my new domain.
Everything works perfectly but when I click a hyperlink that goes outside the website (e.g. facebook page), the page won't show.
I have the following error in my Google Chrome console:
Refused to display Hyperlink in a frame because it set X-Frame-Options to DENY.
Any link, tutorial help will be appreciated.
The X-Frame-Options is submitted by pages if they don't want to be displayed in frame or iframe (see mdn: The X-Frame-Options response header)
The message tells you that Facebook tells the browser, that it does not want to be displayed in a frame. To solve this problem you need to set the target attribute for these links to _top or _parent. But be award that the user could prevent these options by browser extensions.
If you plan to use the second domain instead of the first one you should think over doing a 301 redirect. What you should avoid is to find a solution that displays the same content (without iframe) on both domains, because of double content.
Related
I have created a site that lists a series of links to external websites about a specific topic and then when the user clicks on such links the links open in an iframe.
It works locally but on my shared hosting server every link that is clicked opens in the full browser (as if target were set to "_top" instead of "myIFRAME").
I have tried adding an .htaccess file to my root with this:
Header always append X-Frame-Options ALLOWALL
and this:
add_header X-Frame-Options "ALLOWALL"
as well as this:
Header always append X-Frame-Options ALLOW-FROM http://www.example.com
In each of these cases I have verified with Google Chrome Dev Tools that the headers were being set and they were, but the pages keep openig in the main browser.
Is there anything else I can do?
Or my only solution to swap iframes for deprecated frames?
Thanks
Actually I was able to make it work.
I added a:
<base target="myTargetFrameID">
in the section of my main html file.
And I also added this:
Header always unset X-Frame-Options
to an .htaccess file in the folder of the script (which I read about here: http://osric.com/chris/accidental-developer/2016/02/per-directory-x-frame-options-header-apache/)
Works now.
Thanks
You can't, and there is no workaround. Framesets won't work either; X-Frame-Options applies to all types of frames, not just iframes.
The purpose of the X-Frame-Options header is to allow a web site to prevent itself from being displayed in a frame. You cannot override it by setting headers on a page on your own domain; that would make the header useless.
If you want to link to these sites, you will need to link to them normally. You cannot display them in frames.
I want to use an iFrame to display the content of another web site (not mine) but I don't want to display other sites in that iFrame. For example, if the SRC for the iFrame is www.site.com then if a visitor clicks a link in that site that opens to another website, I want to prevent it and perhaps display a blank page or redirect back to the specified site.
The site hosting the iFrame uses Apache/PHP on a VPS.
I need to be able to restrict the iFrame content to what was originally specified. If this cannot be done using iFrame what else could work?
There is a similar post that does not work this way... only works on the content page and does nothing to prevent the host iFrame from controlling the content domain.
I know this has been asked a few times, but on all the answers I found there was someone asking if it would still work and somebody else saying that it doesn't, so I was wondering if there is a solution to this problem that still works with the latest version of chrome:
Lets say we have website with an iframe embedded in it, the iframe source is from another host. The page inside the iframe needs cookies to work, but Google Chrome seems to refuse to set cookies that are set within the iframe. (This only happens when "block 3rd party cookies" is checked which seems to be happening on its own because I have multiple reports from different users who didn't touch the advanced options)
I have control over both of the sites, though I can only modify the html on the page that contains the iframe, no server side stuff.
Things I have tried so far that didn't work:
Emedding an image from the same host as the iframe's source
making a post request to the iframe
setting up a P3P header
I can also send messages using xdm, though I don't know if that could help.
If anyone has any further ideas it would be greatly apreciated! I feel like there must be a solution to this problem somewhere
Setting cookies inside an iFrame can be troublesome. However, iFrame can access cookies set outside the iFrame. You can show the page in a popup window which sets the necessary cookies (like authentication, etc) and then access these cookies from within the iFrame.
This is very helpful in case you want to authenticate user on some other domain. Just show a popup, authenticate and set cookies, then access these cookies on your site from iFrame.
My browser is session authenticated with a website.
I am using their API to pull down images from the site so I can display them on my page.
Visiting that image url displays the image, putting it in an img tag does not:
<img src = "https://files.something.com/123123" />><!-- this doesn't show -->
arse<!-- this works -->
Any ideas on why? and how I might overcome it?
If I put in http for the link, it redirects to https any way.
There's two things worth bearing in mind here:
Your host is automatically redirecting to https. Is this deliberate?
I suspect that you're seeing coming up against cross-domain security, or that your server is actively refusing it.
To trouble-shoot: you'll want to find out what response you're getting from your images.
Open up either the 'NET' tab in Firebug, or 'Network' in Chrome Developer Tools and watch the page-load. I suspect you're going to see those images come through red with an error number. Once you've got that it's very easy to trouble-shoot why the server's refusing to serve the images.
I want to have two facebook pages open at the same time as part of my html page.
So when you go to mypage.html, there will be displayed two facebook pages. Is this possible?
I get something like:
with code like:
<frameset cols="25%,75%">
or
<iframe height="*" src="http://www.facebook.com/photo.php?fbid=10150277739848763&set=pu.105012493762&type=1&theater" width="100%">
<p>Your browser does not support iframes.</p> </iframe>
I work on Facebook's security team and actually helped write the code that causes this. We do this (a form of frame busting) to prevent clickjacking attacks where an attacker can put Facebook in an iframe, hide it, and trick the user into clicking in the facebook frame and taking some action (e.g. posting a malicious link to their profile, etc).
While Jason's answer is going in the right direction, it's not true that browsers will give you access to the DOM of a page you insert in an iframe in your page. The Same Origin Policy dictates that javascript on one domain cannot access anything on a page on a different domain.
Facebook prevents you from linking directly to the actual site via IFRAME (or any frame). This is because any site putting Facebook in an IFRAME(or any frame) could use Javascript to access elements of the facebook page, including username and password fields.
There is no way around this. It is built in to the browsers themselves to send some information along in the request header that says it is being requested to be put in frame.
Gmail and several other sites do this as well.
There are specific situations where overriding the "x-frame-options" security policy is useful, such as in digital signage where it is desirable to show an organization's facebook page in a iframe alongside other signage iframes.
Clickjacking and phishing will not occur because the organization is displaying its own facebook page on its own browser-driven display devices.
If the browser doesn't provide an internal x-frame override on its "about:flags" page, you may need to install a browser extension to override x-frame-options on the signage device.