If I use this code line:
<iframe src="https://www.google.com/" frameborder="0"></iframe>
The browser will deny the access to the website.
But if I use this src, suddenly it works :
<iframe src="https://www.google.com/webhp?igu=1" frameborder="0"></iframe>
I saw already couples of websites that the regular domain not working as iframe but additions like /webhp?igu=1 make it work.
Why does it happen ? It's like the "key" / API for using it ?
Where I can find working links to every website ? Those I found was only in stackoverflow. For example, If I use Amazon how can I find "working link" for iframe.
Thanks !
The X-Frame-Options: SAMEORIGIN header value is present in the headers from the https://www.google.com/ request. This prevents the page from loading in iframes.
https://www.google.com/?igu=2 omits the X-Frame-Options header value. Meaning, the page can now be loaded into iframes.
Apparently, the igu=2 value was used in one of Google's April fools pranks so their page could be loaded in an iframe. Meaning somewhere in Google's processing of query string values, webhp?igu=1 prevents X-Frame-Options from being added to the response headers. Prevention of the X-Frame-Options header value is not going to be something other major sites allow with simple query string values added to the request url.
You can view the headers of both https://www.google.com and https://www.google.com/webhp?igu=1 here to see the difference for yourself:
https://headers.cloxy.net/
Related
I need to get referrer , when user is redirected from other site to my own , i trying get referrer from headers but its empty. All attempts returns null or empty :
Request.UrlReferrer
HttpContext.Current.Response.Headers["Referer"].ToString()
ServerVariables["http_referer"]
and if you look to request headers in browser , i will not find referrer header.
tried get referrer from javascript document.referrer but its returns empty string
can somebody please explain why there is no referrer header and how i can get it ?
Usually, Referrer URLs are passed between two unrelated sites (from one site to another) when navigation occurs by clicking a link or JavaScript-based navigation. Referrer URLs are not sent if the user uses the browsers address bar, back/forward buttons/ etc.. to navigate.
There are several reasons why the Referrer URL is empty in a request.
For some (security/privacy) reasons, the Referrer URL is stripped out
when navigating from a HTTPS site to a HTTP site (e.g. from
https://google.com to http://example.com).
It can also be stripped out using some other JavaScript
and HTML tricks.
once Referrer URL has been stripped out, There is no way to disable this behavior to get it back.
I'm creating a script, that embed iframe with my site to client's site, but I want to limit access to this feature.
I added 2 headers to the server responses
Content-Security-Policy: "frame-ancestors: example.com"
X-Frame-Options: ALLOW-FROM example.com
It works, but X-Frame-Options doesn't support multiple domains, so I added a GET-param to the iframe URLs, that contain frame ancestor URL
And when http://example.net requests mysite.com/embed/?from=http://example.net I check the whitelist and send this domain in headers
My problem is obtaining a real page origin, that browser uses to compare with the headers.
I tried location.origin and document.referrer but both return wrong values when I request iframe from iframe.
For example http://jsbin.com. I can't find way to obtain real URL in sandboxed code, it's always http://null.jsbin.com. But for Content-Security-Policy a browser uses http://jsbin.com/
Is it possible to load an external website in iframe but without sending HTTP_REFERER ? I just don't want be tracked.
If it is possible then how and if not then is there any workaround using divs or anything else ?
For anchor tag with external link jQuery("a").attr('rel','noreferrer'); is working, but for iframe I've failed to make it work.
Is there any script( js or jQuery ) to make it work ?
Here's a very simple solution.
Use this in you document <head> tag and you are good to go :D
<meta name="referrer" content="none">
The meta referrer tag is placed in the <head> section of your HTML,
and references one of five states, which control how browsers send referrer information from your site.
The five states are:
None: Never pass referral data
None When Downgrade: Sends referrer information to secure HTTPS sites, but not insecure HTTP sites
Origin Only: Sends the scheme, host, and port (basically, the subdomain) stripped of the full URL as a referrer, i.e. moz.com/example.html would simply send moz.com
Origin When Cross-Origin: Sends the full URL as the referrer when the target has the same scheme, host, and port (i.e. subdomain) regardless if it's HTTP or HTTPS, while sending origin-only referral information to external sites. (note: There is a typo in the official spec. Future versions should be "origin-when-cross-origin")
Unsafe URL: Always passes the URL string as a referrer. Note if you have any sensitive information contained in your URL, this isn't the safest option. By default, URL fragments, username, and password are automatically stripped out.
Reference: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta
I came across this on MDN stating that setting the referrerpolicy attribute to no-referrer would accomplish this.
Example:
<iframe src="https://www.whatismyreferer.com/" referrerpolicy="no-referrer"></iframe>
For example, the first search result on this page leads to the older SO question, with the following HTTP request:
GET /questions/4402502/how-does-google-set-the-http-referrer-when-someone-clicks-on-a-search-result-lin HTTP/1.1
Host stackoverflow.com
Referer https://www.google.ru
Note, that:
Only the domain is included in the Referer header, no query string.
Google is open via HTTPS, while SO is open via plain HTTP - nevertherless, the Referer header is sent by the browser.
There are no server-side redirects involved, the first HTTP query to open after the click is to the target site.
The question is, how do they achieve this?
Google makes use of Referrer Policy.
They include the meta tag in the page:
<meta name="referrer" content="origin">
This tells browsers to use "Origin Only" policy, that is, to send domain only information in the Referrer header in any subsequent request.
Update: This works for IE but Chrome is still throwing this error.
I am attempting to i-frame a site I own by another site I own. Here is error message I am getting in the JS console on Chrome:
Multiple 'X-Frame-Options' headers with conflicting values ('AllowAll, SAMEORIGIN, AllowAll') encountered when loading 'http://subdomain.mysite.com:8080/Dir/'. Falling back to 'DENY'.
Refused to display 'http://subdomain.mysite.com:8080/Dir/' in a frame because it set 'X-Frame-Options' to 'AllowAll, SAMEORIGIN, AllowAll'.
I did a search for SAMEORIGIN everywhere I am not setting this ANYWHERE.
The main site is www.mysite.com and the other site is subdomain.mysite.com. Obviously same-origin policies keep me from doing this.
So i have set the X-Frame-Options header on my subdomain.mysite.com to "AllowAll". On the begin-request method i have added this:
HttpContext.Current.Response.Headers.Remove("X-Frame-Options");
HttpContext.Current.Response.AddHeader("X-Frame-Options", "AllowAll");
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", "*");
on the page level I have added this:
<meta name="x-frame-options" content="allowall" />
In Javascript i have added this:
<script type="text/javascript">
document.domain = "mysite.com";
</script>
I am running out of things to try... Thank you in advance for your assistance.
In my case it was the anti-forgery token that was adding the header. Adding this in Application_Start stopped it from adding it:
AntiForgeryConfig.SuppressXFrameOptionsHeader = true;
I then added the X-Frame-Options in the web.config as I needed the whole site to be in an IFrame.
Turns out MVC4 adds the header by itself (unsolicited). The only way to get around this was to explicitly remove the header.
Response.Headers.Remove("X-Frame-Options");
There may be a way to convince MVC4 not to do this but it did not service in my scores of Google queries.
Some further detail to to Mike the Tike's answer, this is added to the application_start method in global.asax.cs, where you'll need the using directive system.web.helpers
IIS might be adding a second header after yours (you can see this by pressing F12 for Developer Tools in Chrome, attempt to load the page, then click Network, and right-click on the failed page to copy the response headers to have a look).
To stop IIS from adding the header:
Run IIS Manager
Select your website
Double click the HTTP Response Headers for the application (or on older IIS, right click on the website, click Properties, then HTTP Headers)
Then you can override or remove the extra header