As an example the following does not work
<iframe src="https://plus.google.com/110145602671775846965/about?hl=en" />
Even though I can visit the page directly. Is there any way of getting around this?
No, there is not. Like most Google applications, Google Plus uses the X-Frame-Options to block framing of pages on their site. This is a browser security mechanism; as such, there is no way to disable it.
Related
I want to use Google docs in my django site by embedding it with iframe tag
Or the link provided by Google for embedding.
Is there any security threat by using this method of embedding.
It really depends what are you putting in IFRAME or if someone is putting your site in their IFRAME. if the foreign site is a "normal" site - no worries, but if you allow to anyone to put your site in IFRAME you can become part of unwanted site.
I personally use IFRAMEs only from my own other sites, where it can't be done differently or from extremely trusted sites (like Youtube). Also I prevent everyone to put my site in IFRAME.
There are tons of posts around, so I would recommend to take a look at the Google.
I used to display web pages in iframes. But when I tried to display my stackoverflow user info in an iframe, it went wrong. The content is not getting displayed. What may be the possible reason (or reasons) for this behavior? How can I display my page in an iframe? Is it possible to display it in iframe with pure html or is there any need for javaScript or AJAX or something like that? If this is not possible, is there any workaround for this?
Here is a Live Demo.
A possible reason for this could be same as that of Google. As some sites do not allow their sites to be iframed.
To quote from #Daan:
Google uses an X-FRAME-OPTIONS HTTP header to disallow putting their pages in iframes: https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
Could be a case with SO too.
i would like to embed the public view of my Google Scholar page into my personal webpage. I used the iframe tags, however the resulting box is just empty. What are the general rule where iframe tag applies?
Short answer: you cannot, because google refuses to allow other sites to embed its pages. Actually, if you are using a debugger, it should warn you that Google is using the same origin policy on its response:
Refused to display 'http://scholar.google.fr/...' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
Want to know all about ? Follow the link below.
http://www.w3schools.com/tags/tag_iframe.asp
My opinion is to avoid iframes because of bookmarking and navigation.
Here are some alternatives
Alternatives to Iframe
http://icant.co.uk/articles/crossdomain-ajax-with-jquery/index.html
The way I solved this is by exporting all my publications from Google Scholar to a bib file then use bibbase.org to create a publications page using the generated bib file. You can embed the generated page into your website. Works fine and looks good.
I had the following iframe which renders the Video.In IE8, I am getting the security popup error.
<iframe src="https://fast.wistia.com/embed/iframe/223ewe311111112?videoWidth=310&videoHeight=120&controlsVisibleOnLoad=true&playerColor=1213221&plugin%5Bsocialbar%5D%5Bversion%5D=v1&plugin%5Bsocialbar%5D%5Bbuttons%5D=email-twitter-googlePlus-facebook&plugin%5Bsocialbar%5D%5Blogo%5D=true&plugin%5Bsocialbar%5D%5BtweetText%5D=May%20to%I%20New%Help%20You%20&plugin%5Bsocialbar%5D%5BbadgeUrl%5D=https%3A%2F%2Fwistia.com&plugin%5Bsocialbar%5D%5BbadgeImage%5D=https%3A%2F%2Fprime-cdn.wistia.com%2Fdeliveries%2Fe6e6be3fsdfsdfsdfsdf7e0a69.jpg%3Fimage_crop_resized%3D100x20" target="_blank" rel="nofollow" allowtransparency="true" frameborder="0" scrolling="no" class="wistia_embed" name="wistia_embed" width="310" height="120"></iframe>
I came to know that they updated their IFRAME API on their framework.Will it be a cause for rendering the popup in IE8 only.Using HTTPWATCH plugin in IE8,I found that all resources are rendering HTTPS only.So, because of this iframe tag only it is rendering the popup.I put this iframe tag in seperate HTML page and opened it in IE8 browser.It is showing Security popup.
First, you better get that example embed code checked out! :) It doesn't look like the iframe src is valid (it leads to a 404 page), which made this a little difficult to test. There are also some weirdnesses like target="_blank" on the iframe, which I don't think is produced by Wistia.
Anyway, I stapled the options onto a different media's embed code and I think I figured out your issue. The domain for the logo in the socialbar is what's causing the security warning.
If you upload your logo in the SuperEmbed Builder then switch to an SSL (under Embed Type > Advanced Options), it will also switch the domain of the logo to one that has a security certificate. I'm guessing that you produced a non-SSL embed, then manually switched it from http: to https:. In many cases this doesn't matter, but it does in this one unfortunately.
My recommendation is to produce the embed code directly from the SuperEmbed Builder and switch SSL on there.
What's the nature of the error you're getting? "Unsafe JavaScript attempt to access frame with URL [URL redacted] from frame with URL [URL redacted]. Domains, protocols and ports must match."
If so, there are a number of threads here at StackOverflow that also mention this error. while annoying, is extremely unlikely to be detrimental to how your site works, it's simply a symptom of having unmatched domains, ports and protocols between the iframe and page its embedded on.
So yeah, as long as the content on the page appears to be fine, you can most likely ignore that particular error.
As an alternative, try the Wistia API embed style, which you can also use SSL with--should help you avoid seeing this.
I want to have two facebook pages open at the same time as part of my html page.
So when you go to mypage.html, there will be displayed two facebook pages. Is this possible?
I get something like:
with code like:
<frameset cols="25%,75%">
or
<iframe height="*" src="http://www.facebook.com/photo.php?fbid=10150277739848763&set=pu.105012493762&type=1&theater" width="100%">
<p>Your browser does not support iframes.</p> </iframe>
I work on Facebook's security team and actually helped write the code that causes this. We do this (a form of frame busting) to prevent clickjacking attacks where an attacker can put Facebook in an iframe, hide it, and trick the user into clicking in the facebook frame and taking some action (e.g. posting a malicious link to their profile, etc).
While Jason's answer is going in the right direction, it's not true that browsers will give you access to the DOM of a page you insert in an iframe in your page. The Same Origin Policy dictates that javascript on one domain cannot access anything on a page on a different domain.
Facebook prevents you from linking directly to the actual site via IFRAME (or any frame). This is because any site putting Facebook in an IFRAME(or any frame) could use Javascript to access elements of the facebook page, including username and password fields.
There is no way around this. It is built in to the browsers themselves to send some information along in the request header that says it is being requested to be put in frame.
Gmail and several other sites do this as well.
There are specific situations where overriding the "x-frame-options" security policy is useful, such as in digital signage where it is desirable to show an organization's facebook page in a iframe alongside other signage iframes.
Clickjacking and phishing will not occur because the organization is displaying its own facebook page on its own browser-driven display devices.
If the browser doesn't provide an internal x-frame override on its "about:flags" page, you may need to install a browser extension to override x-frame-options on the signage device.