fatkatie Posted March 30, 2017 Share Posted March 30, 2017 I want to embed a page but I don't want to try and embed those that disallow it. Various posts say look for a header key 'X-Frame-Options' with a value of 'DENY' 'SAMEORIGIN' 'ALLOW-FROM'. Here is a Yahoo header, which apparently is telling me NO, don't embed: ( [0] => HTTP/1.0 200 OK [Accept-Ranges] => bytes [Age] => 17 [Content-Encoding] => gzip [Content-Type] => text/html; charset=UTF-8 [Date] => Thu, 30 Mar 2017 15:09:33 GMT [Etag] => "ee37057d7e3803442fa2f524c5048911" [Last-Modified] => Thu, 30 Mar 2017 15:05:35 GMT [server] => ATS [x-amz-expiration] => expiry-date="Sun, 30 Apr 2017 00:00:00 GMT, rule-id="S3_data_expire [x-amz-id-2] => hc9rXsj9pjC7wdvjn58GdTOqNmHBkl1UF4RPBR1u9m05tsRlrzAJzhAVbpwP3Ek5PrK1TJSjB1Q= [x-amz-request-id] => 5B32F084782785AC [x-amz-version-id] => VsFXBILC9W5BLaNbLSQQr0O4DabU_CjA [strict-Transport-Security] => max-age=0 [Via] => https/1.1 media-ncache-fp14.prod.media.bf1.yahoo.com (ApacheTrafficServer [cSsSfU]), https/1.1 media-ncache-fp14.prod.media.bf1.yahoo.com (ApacheTrafficServer [cMsSf ]), https/1.1 media-ncache-fp14.prod.media.bf1.yahoo.com (ApacheTrafficServer [cMsSf ]), http/1.1 media-ncache-fp2.prod.media.bf1.yahoo.com (ApacheTrafficServer [cMsNf ]), https/1.1 media-ncache-fp14.prod.media.bf1.yahoo.com (ApacheTrafficServer [cSsSfU]), https/1.1 media-ncache-fp14.prod.media.bf1.yahoo.com (ApacheTrafficServer [cMsSf ]), https/1.1 media-ncache-fp14.prod.media.bf1.yahoo.com (ApacheTrafficServer [cMsSf ]), http/1.1 media-router-fp61.prod.media.bf1.yahoo.com (ApacheTrafficServer [cRs f ]), http/1.1 ir46.fp.bf1.yahoo.com (ApacheTrafficServer) [Content-Length] => 182248 [P3P] => policyref="http://info.yahoo.com/w3c/p3p.xml, CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV [Cache-Control] => no-store, no-cache, private, max-age=0 [Expires] => -1) Where should I look for the disallow? (Obtained via php get_headers('www...', 1) Thanks. Quote Link to comment Share on other sites More sharing options...
requinix Posted March 30, 2017 Share Posted March 30, 2017 Perhaps I'm not up to date but I don't see anything in there that says you can't embed it. Are you having an actual problem embedding it? Like, have you done it and your browser is showing an error in its console? Quote Link to comment Share on other sites More sharing options...
fatkatie Posted March 30, 2017 Author Share Posted March 30, 2017 Load denied by X-Frame-Options: https://www.yahoo.com/ does not permit framing. I can embed other pages. When yahoo is attempted, nothing. My iframe has text between the iframe start and end tag bodies which I would have expected to see. Nothing. ff51, w7p64 Thanks. Quote Link to comment Share on other sites More sharing options...
requinix Posted March 30, 2017 Share Posted March 30, 2017 Looks like Yahoo! wasn't sending the header with your PHP request because my Chrome sees it. Request: :authority:www.yahoo.com :method:GET :path:/ :scheme:https accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate, sdch, br accept-language:en-US,en;q=0.8 cache-control:no-cache dnt:1 pragma:no-cache upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36Response: age:0 cache-control:no-store, no-cache, private, max-age=0 content-encoding:gzip content-type:text/html; charset=UTF-8 date:Thu, 30 Mar 2017 16:26:48 GMT expires:-1 p3p:policyref="https://policies.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" server:ATS set-cookie:autorf=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=www.yahoo.com set-cookie:B=5t94r11cdqce8&b=3&s=9t; expires=Fri, 30-Mar-2018 16:26:48 GMT; path=/; domain=.yahoo.com status:200 strict-transport-security:max-age=2592000 vary:Accept-Encoding via:http/1.1 ir41.fp.ne1.yahoo.com (ApacheTrafficServer) x-frame-options:DENYThey may be doing browser detection. Quote Link to comment Share on other sites More sharing options...
Solution Jacques1 Posted March 30, 2017 Solution Share Posted March 30, 2017 yahoo.com does have an X-Frame-Options header. They want a User-Agent header in the request, though. Quote Link to comment Share on other sites More sharing options...
requinix Posted March 30, 2017 Share Posted March 30, 2017 They want a User-Agent header in the request, though.Last I knew PHP includes a user-agent like "PHP/version" automatically, so I think it's not just the presence of the header. I'm too lazy to test in PHP with a forged UA though. Quote Link to comment Share on other sites More sharing options...
fatkatie Posted March 30, 2017 Author Share Posted March 30, 2017 ini_set('user_agent','Mozilla/5.0'); bingo Thanks. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted March 30, 2017 Share Posted March 30, 2017 I'm too lazy to test in PHP with a forged UA though. I have tested it, and they don't care. 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.