fatkatie Posted March 30, 2017 Share Posted March 30, 2017 I want to embed a page but I don't want to try and embed those that disallow it. Various posts say look for a header key 'X-Frame-Options' with a value of 'DENY' 'SAMEORIGIN' 'ALLOW-FROM'. Here is a Yahoo header, which apparently is telling me NO, don't embed: ( [0] => HTTP/1.0 200 OK [Accept-Ranges] => bytes [Age] => 17 [Content-Encoding] => gzip [Content-Type] => text/html; charset=UTF-8 [Date] => Thu, 30 Mar 2017 15:09:33 GMT [Etag] => "ee37057d7e3803442fa2f524c5048911" [Last-Modified] => Thu, 30 Mar 2017 15:05:35 GMT [server] => ATS [x-amz-expiration] => expiry-date="Sun, 30 Apr 2017 00:00:00 GMT, rule-id="S3_data_expire [x-amz-id-2] => hc9rXsj9pjC7wdvjn58GdTOqNmHBkl1UF4RPBR1u9m05tsRlrzAJzhAVbpwP3Ek5PrK1TJSjB1Q= [x-amz-request-id] => 5B32F084782785AC [x-amz-version-id] => VsFXBILC9W5BLaNbLSQQr0O4DabU_CjA [strict-Transport-Security] => max-age=0 [Via] => https/1.1 media-ncache-fp14.prod.media.bf1.yahoo.com (ApacheTrafficServer [cSsSfU]), https/1.1 media-ncache-fp14.prod.media.bf1.yahoo.com (ApacheTrafficServer [cMsSf ]), https/1.1 media-ncache-fp14.prod.media.bf1.yahoo.com (ApacheTrafficServer [cMsSf ]), http/1.1 media-ncache-fp2.prod.media.bf1.yahoo.com (ApacheTrafficServer [cMsNf ]), https/1.1 media-ncache-fp14.prod.media.bf1.yahoo.com (ApacheTrafficServer [cSsSfU]), https/1.1 media-ncache-fp14.prod.media.bf1.yahoo.com (ApacheTrafficServer [cMsSf ]), https/1.1 media-ncache-fp14.prod.media.bf1.yahoo.com (ApacheTrafficServer [cMsSf ]), http/1.1 media-router-fp61.prod.media.bf1.yahoo.com (ApacheTrafficServer [cRs f ]), http/1.1 ir46.fp.bf1.yahoo.com (ApacheTrafficServer) [Content-Length] => 182248 [P3P] => policyref="http://info.yahoo.com/w3c/p3p.xml, CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV [Cache-Control] => no-store, no-cache, private, max-age=0 [Expires] => -1) Where should I look for the disallow? (Obtained via php get_headers('www...', 1) Thanks. Link to comment Share on other sites More sharing options...
requinix Posted March 30, 2017 Share Posted March 30, 2017 Perhaps I'm not up to date but I don't see anything in there that says you can't embed it. Are you having an actual problem embedding it? Like, have you done it and your browser is showing an error in its console? Link to comment Share on other sites More sharing options...
fatkatie Posted March 30, 2017 Author Share Posted March 30, 2017 Load denied by X-Frame-Options: https://www.yahoo.com/ does not permit framing. I can embed other pages. When yahoo is attempted, nothing. My iframe has text between the iframe start and end tag bodies which I would have expected to see. Nothing. ff51, w7p64 Thanks. Link to comment Share on other sites More sharing options...
requinix Posted March 30, 2017 Share Posted March 30, 2017 Looks like Yahoo! wasn't sending the header with your PHP request because my Chrome sees it. Request: :authority:www.yahoo.com :method:GET :path:/ :scheme:https accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate, sdch, br accept-language:en-US,en;q=0.8 cache-control:no-cache dnt:1 pragma:no-cache upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36Response: age:0 cache-control:no-store, no-cache, private, max-age=0 content-encoding:gzip content-type:text/html; charset=UTF-8 date:Thu, 30 Mar 2017 16:26:48 GMT expires:-1 p3p:policyref="https://policies.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" server:ATS set-cookie:autorf=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=www.yahoo.com set-cookie:B=5t94r11cdqce8&b=3&s=9t; expires=Fri, 30-Mar-2018 16:26:48 GMT; path=/; domain=.yahoo.com status:200 strict-transport-security:max-age=2592000 vary:Accept-Encoding via:http/1.1 ir41.fp.ne1.yahoo.com (ApacheTrafficServer) x-frame-options:DENYThey may be doing browser detection. Link to comment Share on other sites More sharing options...
Jacques1 Posted March 30, 2017 Share Posted March 30, 2017 yahoo.com does have an X-Frame-Options header. They want a User-Agent header in the request, though. Link to comment Share on other sites More sharing options...
requinix Posted March 30, 2017 Share Posted March 30, 2017 They want a User-Agent header in the request, though.Last I knew PHP includes a user-agent like "PHP/version" automatically, so I think it's not just the presence of the header. I'm too lazy to test in PHP with a forged UA though. Link to comment Share on other sites More sharing options...
fatkatie Posted March 30, 2017 Author Share Posted March 30, 2017 ini_set('user_agent','Mozilla/5.0'); bingo Thanks. Link to comment Share on other sites More sharing options...
Jacques1 Posted March 30, 2017 Share Posted March 30, 2017 I'm too lazy to test in PHP with a forged UA though. I have tested it, and they don't care. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.