Jump to content

iframe. Site won't embed', but 'X-Frame-Options' isn't there.


Go to solution Solved by Jacques1,

Recommended Posts

I want to embed a page but I don't want to try and embed those that disallow it.

 

Various posts say look for a header key 'X-Frame-Options' with a value of 'DENY' 'SAMEORIGIN' 'ALLOW-FROM'.

 

Here is a Yahoo header, which apparently is telling me NO, don't embed:

(
    [0] => HTTP/1.0 200 OK
    [Accept-Ranges] => bytes
    [Age] => 17
    [Content-Encoding] => gzip
    [Content-Type] => text/html; charset=UTF-8
    [Date] => Thu, 30 Mar 2017 15:09:33 GMT
    [Etag] => "ee37057d7e3803442fa2f524c5048911"
    [Last-Modified] => Thu, 30 Mar 2017 15:05:35 GMT
    [server] => ATS
    [x-amz-expiration] => expiry-date="Sun, 30 Apr 2017 00:00:00 GMT, rule-id="S3_data_expire
    [x-amz-id-2] => hc9rXsj9pjC7wdvjn58GdTOqNmHBkl1UF4RPBR1u9m05tsRlrzAJzhAVbpwP3Ek5PrK1TJSjB1Q=
    [x-amz-request-id] => 5B32F084782785AC
    [x-amz-version-id] => VsFXBILC9W5BLaNbLSQQr0O4DabU_CjA
    [strict-Transport-Security] => max-age=0
    [Via] => https/1.1 media-ncache-fp14.prod.media.bf1.yahoo.com (ApacheTrafficServer [cSsSfU]), https/1.1 media-ncache-fp14.prod.media.bf1.yahoo.com (ApacheTrafficServer [cMsSf ]), https/1.1 media-ncache-fp14.prod.media.bf1.yahoo.com (ApacheTrafficServer [cMsSf ]), http/1.1 media-ncache-fp2.prod.media.bf1.yahoo.com (ApacheTrafficServer [cMsNf ]), https/1.1 media-ncache-fp14.prod.media.bf1.yahoo.com (ApacheTrafficServer [cSsSfU]), https/1.1 media-ncache-fp14.prod.media.bf1.yahoo.com (ApacheTrafficServer [cMsSf ]), https/1.1 media-ncache-fp14.prod.media.bf1.yahoo.com (ApacheTrafficServer [cMsSf ]), http/1.1 media-router-fp61.prod.media.bf1.yahoo.com (ApacheTrafficServer [cRs f ]), http/1.1 ir46.fp.bf1.yahoo.com (ApacheTrafficServer)
    [Content-Length] => 182248
    [P3P] => policyref="http://info.yahoo.com/w3c/p3p.xml, CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV
    [Cache-Control] => no-store, no-cache, private, max-age=0
    [Expires] => -1
)

 

Where should I look for the disallow?  (Obtained via php get_headers('www...', 1)

 

Thanks.

Perhaps I'm not up to date but I don't see anything in there that says you can't embed it.

 

Are you having an actual problem embedding it? Like, have you done it and your browser is showing an error in its console?

Load denied by X-Frame-Options: https://www.yahoo.com/ does not permit framing.

 

I can embed other pages.  When yahoo is attempted, nothing.  My iframe has text between the iframe start and end tag bodies which I would have expected to see.  Nothing.

 

ff51, w7p64

 

Thanks.

Looks like Yahoo! wasn't sending the header with your PHP request because my Chrome sees it.

Request:

:authority:www.yahoo.com
:method:GET
:path:/
:scheme:https
accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
accept-encoding:gzip, deflate, sdch, br
accept-language:en-US,en;q=0.8
cache-control:no-cache
dnt:1
pragma:no-cache
upgrade-insecure-requests:1
user-agent:Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Response:

age:0
cache-control:no-store, no-cache, private, max-age=0
content-encoding:gzip
content-type:text/html; charset=UTF-8
date:Thu, 30 Mar 2017 16:26:48 GMT
expires:-1
p3p:policyref="https://policies.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
server:ATS
set-cookie:autorf=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=www.yahoo.com
set-cookie:B=5t94r11cdqce8&b=3&s=9t; expires=Fri, 30-Mar-2018 16:26:48 GMT; path=/; domain=.yahoo.com
status:200
strict-transport-security:max-age=2592000
vary:Accept-Encoding
via:http/1.1 ir41.fp.ne1.yahoo.com (ApacheTrafficServer)
x-frame-options:DENY
They may be doing browser detection.

They want a User-Agent header in the request, though.

Last I knew PHP includes a user-agent like "PHP/version" automatically, so I think it's not just the presence of the header. I'm too lazy to test in PHP with a forged UA though.
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.