0

i am trying to make some application using 

<iframe src="https://www.google.com" style="height: 100%;width: 100%"></iframe>

but for some reason it is not working

sandesh mahajan
  • 23
  • 1
  • 9
  • Because they don’t _want_ you to be able to display their pages in (i)frames on your page, and they [tell your browser that](https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options). – CBroe Mar 02 '14 at 05:02

2 Answers2

8

Most of the major sites prevent themselves from being loaded in an iframe to avoid Clickjacking.

Google prevents this by enforcing X-Frame-Options: SAMEORIGIN in its response header.
Same is the case with Gmail.

Facebook is using this response header X-Frame-Options: Deny

According to MDN,

Using X-Frame-Options

There are three possible values for X-Frame-Options:

DENY

The page cannot be displayed in a frame, regardless of the site attempting to do so.

SAMEORIGIN

The page can only be displayed in a frame on the same origin as the page itself.

ALLOW-FROM uri

The page can only be displayed in a frame on the specified origin.

And for sake of completeness

Twitter used to have another JavaScript hack like this

<script type="text/javascript">
//<![CDATA[
    if (window.top !== window.self) {
        document.write = "";
        window.top.location = window.self.location;
        setTimeout(function () {
            document.body.innerHTML = '';
        }, 1);
        window.self.onload = function (evt) {
            document.body.innerHTML = '';
        }; 
    }
//]]>
</script>

And Yahoo! used to have this JavaScript

if(self!==self.top){b=function(){if(g.readyState=="complete"){f.remove(g,e,b);

Both essentially means, if loaded in an iframe clear the body.innerHTML / remove.

Twitter now enforces X-Frame-Options: SAMEORIGIN in their response headers.

naveen
  • 53,448
  • 46
  • 161
  • 251
0

Most servers for big companies refuse to accept requests from anyone but their domains to prevent XSS(Cross site scripting) and most modern browsers will also refuse to make the request in the first place if the "domains, subdomains, or ports" don't match also to prevent XSS. It seems bogus but it's trying to protect companies from XSS, DOS(Denial of Service) or DDOS(Distruted Denial of Service) and protect users from using all their bandwith.

More info on XSS: here
More info on DOS and DDOS: here
bren
  • 4,176
  • 3
  • 28
  • 43