2

I'm trying to embed a Google Group into a web page on a site, but I cannot get it to work in all browsers and am stumped about why. Using the <iframe> and JavaScript code provided by the Google Groups configuration system, things work when I view the page in Safari (version 6.1, 8537.71) and Chrome (32.0.1700.107), but not FireFox (26.0) running on Mac OS X 10.8.5. Running FireFox's debug console reveals the following error:

Load denied by X-Frame-Options: https://groups.google.com/ 
does not permit framing by http://mysite.org/mypage

(where http://mysite.org/mypage is the actual page URL, of course). Now, the curious thing is that using the debug consoles in Chrome and Safari, they both report an error too—but it is about the X-Frame-Options header sent by Groups:

Invalid 'X-Frame-Options' header encountered when loading
'https://groups.google.com/forum/embed/?place=forum/myforum
&amp;domain=mydomain.org&amp;showtabs=false&amp;parenturl=
http%3A%2F%2Fmydomain.org': 'ALLOW-FROM https://groups.google.com' 
is not a recognized directive. The header will be ignored.

This seems to imply that the reason it works in Safari and Chrome is that Google is sending an invalid header (which seems unlikely) and Safari and Chrome therefore ignore it, or that both browsers are unable to interpret X-Frame-Options, which as far as I can tell, is not supposed to be the case.

Can anyone think of what might be going on, or suggest what other possible issues I can check for?

A past question on SO seemed to hit a similar or possibly the same problem, but the OP's problem apparently went away on its own, whereas mine persists whether I am logged in or out of my Google account.

EDIT 2014-02-06 #1

I've now determined that Chrome and Safari do not implement support for ALLOW-FROM in X-Frame-Options; that explains the messages in the consoles, and probably explains why those browsers do not block the embed Google Groups page. Also, if I interpret the definition of the ALLOW-FROM option correctly, the URI provided as the value should be the enclosing page; in other words, Google should be sending back ALLOW-FROM mydomain.org and not the value it is currently sending. I guess I must be doing something wrong, but I've followed exactly Google's instructions for setting up the iframe, including the part about supplying &domain=yourdomain.com.

EDIT 2014-02-06 #2

In view of the above, my original question is basically answered: the reason Safari and Chrome display the embedded page is that they currently ignore the security header value, whereas FireFox doesn't, and correctly blocks the embedding because the value of ALLOW-FROM is not the domain of the page enclosing the iframe (mydomain.org) as it needs to be.

So the question is now, why does Google set ALLOW-FROM to https://groups.google.com rather than mydomain.org.

EDIT 2014-02-06 #3

Solved. The reason that Google was sending the X-Frame-Options value is that my <iframe> code was incorrect. For reasons that I can no longer reconstruct at this time, I was led to believe that ampersands in the src attribute value needed to be escaped, like this:

<html><body>
<iframe id="forum_embed" src="javascript:void(0)"
  scrolling="no" frameborder="0"  width="746" height="1200">
</iframe>
<script type="text/javascript">
  document.getElementById('forum_embed').src =
     "https://groups.google.com/forum/embed/?place=forum/sbml-discuss"
     + "&amp;parenturl=" + encodeURIComponent(window.location.href);
</script>
</body></html>

In fact, it does not work if written that way. But the following does:

<html><body>
<iframe id="forum_embed" src="javascript:void(0)"
  scrolling="no" frameborder="0"  width="746" height="1200">
</iframe>
<script type="text/javascript">
  document.getElementById('forum_embed').src =
     "https://groups.google.com/forum/embed/?place=forum/sbml-discuss"
     + "&parenturl=" + encodeURIComponent(window.location.href);
</script>
</body></html>

(The difference is in &parenturl.) And this is exactly what Google's instructions say to do. Which is, you know, really embarrasing....

Community
  • 1
  • 1
mhucka
  • 2,143
  • 26
  • 41

1 Answers1

0

This is controlled by the parentUrl url-param to the iframe src attribute.

It might just be the chrome console encoding it, but it looks like the URL for the iframe src has the '&' characters encoded.

Are you hardcoding the parentUrl attribute? or are you using 'encodeURIComponent(window.location.href)'
(from the help docs: https://support.google.com/groups/answer/1191206?hl=en)

user3277941
  • 1
  • I am indeed using encodeURIComponent as described in the Google help docs. My understanding is that HTML attribute values are supposed to be encoded (e.g., as discussed at http://stackoverflow.com/a/3705601/743730), so `&` is what I expect to see. Is that incorrect? – mhucka Feb 06 '14 at 15:15
  • It appears that Safari does not implement support for `ALLOW-FROM` in `X-Frame-Options`, which would explain the error message I see in the console. [This page](https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet) has a table which states that Safari does not implement `ALLOW-FROM`, and [this page](https://bugs.webkit.org/show_bug.cgi?id=94836) is a discussion on the WebKit developers' list from less than a year ago that implies the authors do not want to implement support for `ALLOW-FROM` as it stands. – mhucka Feb 06 '14 at 16:15
  • A [past discussion](http://stackoverflow.com/q/10658435/743730) on SO confirms that neither Safari nor Chrome support `ALLOW-FROM`. The [table here](https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options?redirectlocale=en-US&redirectslug=The_X-FRAME-OPTIONS_response_header) confirms this and shows other browser's compatibility too. – mhucka Feb 06 '14 at 16:27
  • I am wrong about using `&`: it has to be unescaped. This appears to be the root of my problem. I'll update the question above. – mhucka Feb 06 '14 at 19:18