Hi, everybody!
Today’s post is not about SharePoint, but rather about regular Web development.
Recently writing a website showing content of the other site in IFRAMEs, I met a problem. The page of some sites were normally shown inside IFRAMEs, while the pages of some other sites weren’t – IFRAME was just empty.
But the same pages (which was not visible inside IFRAME) were absolutely normally visible if I navigated to that pages in standard way typing the URL in browser address text box. Mystery!
The first example where I observed such strange behavior was Tech Net’s Blogs.
If you don’t believe me, please create simple HTML file with the only content:
Now try to open the file in any modern browser. The content is either empty (Firefox’s behavior) or has some warning like “To help protect the security of information you enter into this website, the publisher of this content does not allow it to be displayed in a frame” (Internet Explorer and similar text with Opera).
It turned out that few years ago (if not months ago!), the browser producers added support for so-called “clickjacking protection” (see more details about it in the article “How To Fight Clickjacking (Using The Recent Twitter Hijacking As An Example)“). In few words – now browsers recognize “X-FRAME-OPTIONS” response header (with two possible values), and presence of this header in the response means that the page SHOULD NOT be shown in IFRAME.
So I needed somehow to ask the browser to ignore this response header. Unfortunately Firefox doesn’t have any option for it. So I had either to use some intermediary proxy like WebScarab, or to use Fiddler 2 asking it to remove undesired header.
I used the last one. There is documentation how to remove header from response stream in Fiddler 2. It worked like a charm.
UPDATE: Please notice, this approach works only on client side – so it is not possible to make a widely accessible site showing an arbitrary site in IFRAME if the latest site forbids showing itself in IFRAME using X-FRAME-OPTIONS.
In my case it worked, because I was the only user of my site.
Hope it helps!
What’s the value of removing the header locally?
Users still will be unable to see the site on iframe.
I am the only user of my site – it is internal tool for local purposes.
And you are right – I will add proper text in the post …
just use Google Chrome
also use this ‘embed’ syntax is an example menu link http://www.youtube.com/embed/CNGTn3eismo
cheers
No, it doesn’t work – neither using of the latest Google Chrome, nor ‘embed’ syntax.
Have you checked yours ideas?
I sure have – I was pulling my hair out – I am using wordpress.com the free online blog and my select authors kept getting the error so I told them to switch to Chrome and I also added /embed/ to my links and hewh presto – PERFECT..
Yeah, I understand – thanks for advice!
Unfortunately, these things didn’t help