28

Recently i tried to load youtube website in an iframe, but i checked that it's not worked. i used this simple code.

<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body>
<iframe width="1000px" height="700px" src="http://www.youtube.com" ></iframe>
</body>
</html>

  1. i want to know , why my webpage can't load youtube website in iframe..

  2. what code i use to load the youtube website in my webpage.

  3. how i use same techniq in my website, so no one can add my website in iframe.

Rishi Kumar
  • 303
  • 1
  • 3
  • 9

2 Answers2

47

For modern browser, need to enable X-Frame-Options in Header, The x-frame-options header can be implement through web server configuration settings.

You can view the X-Frame-Options in Header as like below image, enter image description here

Reference: https://www.keycdn.com/blog/x-frame-options/

If your browser does not support it, then you will have NO clickjacking defense in place and can use HTTP Header Field X-Frame-Options,

  <meta http-equiv="X-Frame-Options" content="deny">

There are three possible values for X-Frame-Options:

DENY - The page cannot be displayed in a frame, regardless of the site attempting to do so.

SAMEORIGIN - The page can only be displayed in a frame on the same origin as the page itself.

ALLOW-FROM uri - The page can only be displayed in a frame on the specified origin.

Krish R
  • 22,583
  • 7
  • 50
  • 59
  • so there's no way to use the webpage in iframe, because i saw some site and software.. who use embed youtube webpage , so if they can use youtube type bigwebsite.. so may be there is hole in this techniq.. or is this perfect.. ? – Rishi Kumar Nov 07 '13 at 18:04
  • 5
    Note: As of April 2016 this meta tag no longer works in most browsers. RFC 7034 recommends this meta tag be ignored: https://tools.ietf.org/html/rfc7034#section-4 . Most major browsers removed support accordingly. See https://bugs.webkit.org/show_bug.cgi?id=156625 – mwoodman Sep 07 '16 at 16:00
  • To clarify, the HTML meta tag is indeed useless now (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options#Examples), but the `X-Frame-Options` HTTP header still applies and is the correct way to do it. – Vadorequest Dec 19 '20 at 10:12
26

As of April 2016 the accepted answer by Krish R no longer works. Most browsers now ignore the meta tag as recommended by RFC 7034.

The correct way to implement this header is to have it sent with the document by the server. See the mozilla documentation on X-Frame-Options for details.

Community
  • 1
  • 1
mwoodman
  • 693
  • 6
  • 11