-1

I'm trying find out constraint with Iframe usages.

Below lines worked fine and I can see content in Iframe:

<iframe src="https://www.w3schools.com/" height="500" width="500"></iframe>

<iframe src="https://www.w3.org/" height="500" width="500"></iframe>

But these lines doesn't work:

<iframe src="https://www.microsoft.com/en-gb/" height="500" width="500"></iframe>

<iframe src="https://www.google.com/" height="500" width="500"></iframe>

How to determine which websites can be supported in a iframe and which were not? Is there a way to find that out without displaying it in iframe? I want to display a message when user types a URL to inform him that web site is not supported in iframe.

MKR
  • 19,739
  • 4
  • 23
  • 33
  • Possible duplicate of [How to show google.com in an iframe?](https://stackoverflow.com/questions/8700636/how-to-show-google-com-in-an-iframe) – ridderhoff Jul 29 '17 at 19:52
  • My question is slightly different. I'm trying to find out a way so that I can find out if it would be possible to show a particular site at my page or not. – MKR Jul 29 '17 at 19:58

1 Answers1

1

Many websites send an "X-Frame-Options: SAMEORIGIN" response header which prevents you from displaying them in an iframe. This option prevents the browser from displaying iframes that are not hosted on the same domain as the parent page. This is a security feature to prevent click-jacking. see more

After doing my own test, I'm assuming you were testing within w3school's tryit.asp editor, which is why w3schools worked but the others didn't.

Also, w3.org doesn't send "x-frame-options: SAMEORIGIN" which is why it works from other domains.

Here's an image showing the error which prevents the iframe from showing here's an image showing the error which prevents the iframe from showing

ridderhoff
  • 206
  • 3
  • 11
  • yes, I was using w3school's tryit. But it worked even for https://www.w3.org/ and https://therunningbug.com/ from the same tryit page. – MKR Jul 29 '17 at 19:57
  • 1
    edited my answer, w3.org doesn't send a sameorigin header, and I'm guessing therunningbug.com doesn't either. – ridderhoff Jul 29 '17 at 19:59
  • Is there a way to find which site has set `X-Frame-Options` to `sameorigin`? – MKR Jul 29 '17 at 20:05
  • 1
    if the site isn't showing then you can inspect element and check errors for something like the picture in my answer. – ridderhoff Jul 29 '17 at 20:07