-2

I am trying to embed a webpage in an iFrame and it gives the below error..

Refused to display 'http://somewebsit.com'' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

I know this question has been addressed in other posts but I could not find a code sample of what exactly I need to add to my HTML to get around it. For example what should exactly should I put next to my link in the code below...

<iframe width="854" height="510" src="http://somewebsit.com" frameborder="0" allowfullscreen></iframe>

If it is something like &output=embed as suggested in the other form posts, I am not sure where exactly it goes.

Thanks.

Community
  • 1
  • 1
AbuMariam
  • 3,282
  • 13
  • 49
  • 82

1 Answers1

1

You can't put anything in your HTML to get around it. That would defeat the entire object of having it in the first place.

If you want to display the page in a frame, then the server sending that page must not limit the frame to the same origin. i.e. it should not set the header.

Sticking &output=embed on the end of the URL to turn it off (which would require you to control somewebsit.com) would be pointless, since anyone could use that URL instead of the version without the query string.

You could use something like &embed=example.com on the URL, then somewebsit.com (so this still requires that you control somewebsit.com) could examine that header, check example.com against a whitelist of sites that are allowed to embed the page, then set X-Frame-Options: ALLOW-FROM example.com, but browser support for that is currently pretty poor.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • So are you saying there is no way for me to have that page in an iFrame unless I control it? Why then were suggestions offered in the post that I linked to? – AbuMariam Sep 02 '14 at 22:24
  • Because Google Maps has already done the security unlock. Presumably they serve a different (cut down) version of the page for third party embeds. – Quentin Sep 02 '14 at 22:43