3

I find this doesn't work:

<iframe src="http://www.yahoo.com"> </iframe>

I have read this question, but I don't understand what they mean by add:

<?php
header('X-Frame-Options: GOFORIT'); 
?>

I tried to add this to the top of my html file(change it to php file, of course), and my php file became:

<?php
header('X-Frame-Options: GOFORIT'); 
?>
<iframe src="http://www.yahoo.com"> </iframe>

I run it in my appserv(with php 5.2.6), and it doesn't work. Could anybody explain what should I do exactly to overcome this?

Community
  • 1
  • 1
Sayakiss
  • 6,878
  • 8
  • 61
  • 107

4 Answers4

6

You're out of luck: yahoo.com doesn't allow you to embed their site in an iframe. Nor does facebook or other popular sites.

The reason for this restriction is clickjacking.

You can verify this by checking the response headers from their site; they specify X-Frame-Options:SAMEORIGIN which means only yahoo.com can embed yahoo.com pages.

Some older browsers won't enforce the header but all new ones will. Afaik, there's no simple way around it.

The only solution I can think of is implementing a proxy script, i.e. you embed a script that lives on your server that fetches the remote content for you.

Eg. your iframe calls "/my-proxy.php?url=http://www.yahoo.com/" and that script would look like:

<?php

header('X-Frame-Options: SAMEORIGIN'); // don't allow other sites to use my proxy
echo file_get_contents($_GET['url']);

Your mileage may vary...

jmlnik
  • 2,867
  • 2
  • 17
  • 20
  • seem works! I will test it more...If there is no problem occurs in the follow test, you will get 200 reputation, as I promised – Sayakiss May 18 '13 at 14:17
  • coursera.org is served over HTTPS. Chances are you just need to enable/install the `php_openssl` extension for it to work. – jmlnik May 18 '13 at 14:32
  • Stackoverflow uses javascript to prevent iframe embedding. fyi, this is *not* a good solution. The good solution is to avoid iframes altogether: http://ux.stackexchange.com/questions/4934/iframe-accessibility-and-usability-issues – jmlnik May 18 '13 at 14:40
  • There are different ways for sites to prevent iframes. Some use headers (like yahoo) and others use javascript (like stackoverflow). Though their are ways to get around each of these by using proxies and rewriting the code using regular expressions, it's terribly bad practice. For a trivial example, my proxy solution is good enough, but that's about it. Sorry there's not a better solution for you. Feel free to open a new/more specific question. – jmlnik May 18 '13 at 15:16
2

You're having issues with Cross-origin resource sharing. Read these Wikipedia CORS and MDN CORS articles.

As for your snippet, 

<?php
  header('X-Frame-Options: GOFORIT'); 
?>

needs to be added to the page being served and not to the page/code requesting it, which in this case would be yahoo.com. But as you don't serve yahoo.com yourself, there is no way of adding it.

However if the question was regarding your own pages and yahoo.com was just an example, you can simply set correct HTTP headers as specified in the articles, and you'd be good.

0

Some websites like google, yahoo have been disabled the iframe embedding for their site. If you want to do that then grab their html using curl or file_get_conents on server side and show it.

check the HTTP response header X-Frame-Option. I think for yahoo it should be deny or sameorigin that means only the page of yahoo can embed its other pages in iframe

Manish Jangir
  • 505
  • 3
  • 9
-2

Add 'Ignore X-Frame headers' plugin in google chorme then its working fine.

user2587116
  • 1
  • 2