I've thought iframes were a security threat: what if the whole page you're visiting is an iframe to some rogue site?
I guess you can't really prevent that one, but it just seemed somewhat scary. What if someone iframed to your site willy nilly?
Well, I figured out they can't do that, at least not easily.
I tried to iframe to google's OAuth site, but I got the following js console message:
Refused to display 'https://accounts.google.com/AccountChooser?...' in a frame because it set 'X-Frame-Options' to 'DENY'.
So clearly there are ways to stop this iframe activity via X-Frame-Options.
It looks like this is a setting on Apache.
https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
Anywho, I haven't looked in to it much, just wanted to take note of it for future reference.
No comments:
Post a Comment