All geek questions in one place

How to install X-Frame-Options in github hosted content?

I want the html file to load as iframe with any url, it is hosted by Github ..

This solution does not work:

<?php header('X-Frame-Options: GOFORIT'); ?>

And I suppose we cannot apply this (mod_headers), so is there a way to do this?

+6
source share
2 answers

Support Answer:

We block the iframe to prevent mouse attacks on our users. We do this by sending an β€œX-Frame-Options: deny” header for each page. Clickjacking is a legitimate attack vector, and at this time we do not plan to remove the β€œX-Frame-Options: deny” header or allow exceptions for non-GitHub property. Unfortunately, such measures are necessary, but we are responsible for taking all practical measures to protect our users.

+6
source

As jeum explained, no iframe cubes, it just won't work. If you can override the directive using a meta tag, it can work, but you cannot :

Please note that this token must be sent as an HTTP header and the directive will be ignored if found in the META tag of HTTP-EQUIV.

Thus, it does not work with iframe. But should it really be an iframe? Since loading the script will still work, you can do something like this:

Script on your site (call him load_content.js ):

 var node = document.createElement('div') node.innerHTML = '{place your code encoded as a JS string here}' document.appendChild(node)

And then use it from other sites:

 <script src="{URL to load_content.js}"></script>

Of course, this has some security implications for the sites on which you use it, but this may be enough for your needs.

OTOH, why don't you just post this content elsewhere? A small virtual server is definitely not expensive (if you don’t need tons of RAM and hard disk space) (maybe I pay 6 € per month or so), and even if you can’t afford to pay money, there are sites that allows you to host multiple html pages for free, I think.

+1
source

Source: https://habr.com/ru/post/946902/

More articles:


All Articles