openstreetmap/copyright barred from loading in a frame

Ian Dees ian.dees at gmail.com
Sat Feb 14 15:23:37 UTC 2015


On Sat, Feb 14, 2015 at 10:21 AM, Tom Hughes <tom at compton.nu> wrote:

> On 14/02/15 15:19, Richard Mann wrote:
>
>  If you look at the test webpage that I posted and click on the
>> OpenStreetMap hyperlink, it does nothing in Chrome/Firefox and in IE
>> brings up the following:
>>
>> "This content cannot be displayed in a frame
>> To help protect the security of information you enter into this website,
>> the publisher of this content does not allow it to be displayed in a
>> frame."
>>
>> A bit of googling revealed that some websites do this to prevent
>> transparent buttons being maliciously placed on top of the content
>> (clickjacking). So I figured it must have been done deliberately. But
>> maybe not! Mysterious.
>>
>
> I'm not doubting that your page does that, but I can load that page until
> I'm blue in the face and it tells me nothing about why it is doing it or
> how we control it!


Tom, I think the secret is that he wants you to click the "OpenStreetMap"
link on that page. It's supposed to load inside the iframe but doesn't.

Chrome tells me:
"Refused to display 'http://www.openstreetmap.org/copyright' in a frame
because it set 'X-Frame-Options' to 'SAMEORIGIN'."

Sure enough, it looks like the X-Frame-Options header from the rails app is
set to "SAMEORIGIN", which the browser apparently uses as a signal to
prevent it from loading.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20150214/2086fef8/attachment.html>


More information about the rails-dev mailing list