If I use this code line:
<iframe src="https://www.google.com/" frameborder="0"></iframe>
The browser will deny the access to the website.
But if I use this src, suddenly it works :
<iframe src="https://www.google.com/webhp?igu=1" frameborder="0"></iframe>
I saw already couples of websites that the regular domain not working as iframe but additions like /webhp?igu=1
make it work.
- Why does it happen ? It’s like the “key” / API for using it ?
- Where I can find working links to every website ? Those I found was only in stackoverflow. For example, If I use Amazon how can I find “working link” for iframe.
Thanks !
Advertisement
Answer
The X-Frame-Options: SAMEORIGIN header value is present in the headers from the https://www.google.com/ request. This prevents the page from loading in iframes. https://www.google.com/?igu=2 omits the X-Frame-Options header value. Meaning, the page can now be loaded into iframes. Apparently, the igu=2 value was used in one of Google’s April fools pranks so their page could be loaded in an iframe. Meaning somewhere in Google’s processing of query string values, webhp?igu=1 prevents X-Frame-Options from being added to the response headers. Prevention of the X-Frame-Options header value is not going to be something other major sites allow with simple query string values added to the request url.
You can view the headers of both https://www.google.com and https://www.google.com/webhp?igu=1 here to see the difference for yourself: https://headers.cloxy.net/