openstreetmap/copyright barred from loading in a frame

Richard Mann richard.mann.westoxford at gmail.com
Sat Feb 14 15:27:22 UTC 2015


Stackoverflow has this:
http://stackoverflow.com/questions/2896623/how-to-prevent-my-site-page-to-be-loaded-via-3rd-party-site-frame-of-iframe

On Sat, Feb 14, 2015 at 3:23 PM, Ian Dees <ian.dees at gmail.com> wrote:

>
> On Sat, Feb 14, 2015 at 10:21 AM, Tom Hughes <tom at compton.nu> wrote:
>
>> On 14/02/15 15:19, Richard Mann wrote:
>>
>>  If you look at the test webpage that I posted and click on the
>>> OpenStreetMap hyperlink, it does nothing in Chrome/Firefox and in IE
>>> brings up the following:
>>>
>>> "This content cannot be displayed in a frame
>>> To help protect the security of information you enter into this website,
>>> the publisher of this content does not allow it to be displayed in a
>>> frame."
>>>
>>> A bit of googling revealed that some websites do this to prevent
>>> transparent buttons being maliciously placed on top of the content
>>> (clickjacking). So I figured it must have been done deliberately. But
>>> maybe not! Mysterious.
>>>
>>
>> I'm not doubting that your page does that, but I can load that page until
>> I'm blue in the face and it tells me nothing about why it is doing it or
>> how we control it!
>
>
> Tom, I think the secret is that he wants you to click the "OpenStreetMap"
> link on that page. It's supposed to load inside the iframe but doesn't.
>
> Chrome tells me:
> "Refused to display 'http://www.openstreetmap.org/copyright' in a frame
> because it set 'X-Frame-Options' to 'SAMEORIGIN'."
>
> Sure enough, it looks like the X-Frame-Options header from the rails app
> is set to "SAMEORIGIN", which the browser apparently uses as a signal to
> prevent it from loading.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20150214/978c02de/attachment.html>


More information about the rails-dev mailing list