Open Facebook page in iframe or frame?

Question

I want to have two facebook pages open at the same time as part of my html page. So when you go to mypage.html, there will be displayed two facebook pages. Is this possible?

I get something like: enter image description here

with code like:

<frameset cols="25%,75%">

or

<iframe height="*" src="http://www.facebook.com/photo.php?fbid=10150277739848763&set=pu.105012493762&type=1&theater" width="100%">
    <p>Your browser does not support iframes.</p> </iframe>

Have you actually tried putting two iframes on your page and linking them to two Facebook pages? — Artyom, Sep 01 '11 at 20:22
While it may be technically possible to get around the frame-busting code Facebook employs, it's definitely not something they want you to do. — Jimmy Sawczuk, Sep 01 '11 at 20:31

score 29 · Answer 1 · edited Sep 13 '11 at 22:27

I work on Facebook's security team and actually helped write the code that causes this. We do this (a form of frame busting) to prevent clickjacking attacks where an attacker can put Facebook in an iframe, hide it, and trick the user into clicking in the facebook frame and taking some action (e.g. posting a malicious link to their profile, etc).

While Jason's answer is going in the right direction, it's not true that browsers will give you access to the DOM of a page you insert in an iframe in your page. The Same Origin Policy dictates that javascript on one domain cannot access anything on a page on a different domain.

Thanks for your answer. so what is the right way to show my Facebook page in a my web web site without leaving my site, if any :) — Benny Margalit, Sep 03 '17 at 10:13

score 7 · Accepted Answer · answered Sep 01 '11 at 20:33

7

Facebook prevents you from linking directly to the actual site via IFRAME (or any frame). This is because any site putting Facebook in an IFRAME(or any frame) could use Javascript to access elements of the facebook page, including username and password fields.

There is no way around this. It is built in to the browsers themselves to send some information along in the request header that says it is being requested to be put in frame.

Gmail and several other sites do this as well.

answered Sep 01 '11 at 20:33

Jason Penick

268
1
7

3

–“This is because any site putting Facebook in an IFRAME(or any frame) could use Javascript to access elements of the facebook page”_ – nope, there’s the SOP to prevent that. It’s actually more about phishing – if users where used to see the (Facebook) login dialog within frames, then I could easily build my own version of it and show it inside a frame, and have it send the entered username/password to my own server instead of Facebook’s. And so that people always see facebook.com in the address bar, they decided not to allow to display the login dialog and other stuff inside of frames. – CBroe Jan 03 '13 at 15:14

score -1 · Answer 3 · answered Oct 01 '15 at 19:03

There are specific situations where overriding the "x-frame-options" security policy is useful, such as in digital signage where it is desirable to show an organization's facebook page in a iframe alongside other signage iframes.

Clickjacking and phishing will not occur because the organization is displaying its own facebook page on its own browser-driven display devices.

If the browser doesn't provide an internal x-frame override on its "about:flags" page, you may need to install a browser extension to override x-frame-options on the signage device.

Open Facebook page in iframe or frame?

3 Answers3

Linked

Related