sites using https protocol in the iframe are not displayed, for example:
<iframe src="https://site.com/"></iframe> why do not open and how to get around?
Thank!
Qwertiy ♦
76.2k 17 73 200
Emir Mamashov Emir Mamashov
354 one 13
- If you are given an exhaustive answer, mark it as correct (a daw opposite the selected answer). - Nicolas Chabanovsky ♦
- @Nicolas Chabanovsky ♦ thanks, I know how to celebrate. Always have time to mark, it is very important for me to get at least hints on solutions - Emir Mamashov
|
2 answers
The developer of any site can prohibit its embedding in a frame in popular browsers using the X-Frame-Options or Content-Security-Policy: frame-ancestors ... headers Content-Security-Policy: frame-ancestors ...
This is done to prevent Click-though / ClickJacking attacks (clicks). An example of such an attack:
- An angry hacker builds an eBay site frame with a Buy Now button.
- On top of it lies a clickable overlay with a picture (click the cat on the nose!) So that the cat's nose falls exactly on the button.
- Lures the victim to the site and waits.
It is considered good practice to prohibit embedding of your site / application, unless it is really necessary.
Google clearly forbade embedding google.com into everything except other pages on google.com ( SAMEORIGIN ), so it’s impossible to integrate it into your website.
PashaPash ♦ PashaPash
42.5k 9 60 130
- It's sad: (. Alternative solutions for this problem either? - Emir Mamashov
- @EmirMamashov if there was - the attackers would actively use it. - PashaPash ♦
|
You just need to open your website too at https.
Qwertiy ♦ Qwertiy
76.2k 17 73 200
- why not open on the usual? can obyan by more details please - Emir Mamashov
- @EmirMamashov is probably a browser security policy. Well, you should also check the headers that allow the display of this particular site in the iframe. - Qwertiy ♦
- Are you sure that if I put the ssl problem will be solved? you did not check? - Emir Mamashov
- @EmirMamashov, did not check. By the way, the browser should write the reason for the failure to the console. - Qwertiy ♦
- yes that's what he writes: Refresh to display " google.com " in a frame because it is set to "X-Frame-Options" to "SAMEORIGIN". - Emir Mamashov
|