Sayakiss Sayakiss - 2 months ago 21
PHP Question

Why Iframe dosen't work for yahoo.com

I find this doesn't work:

<iframe src="http://www.yahoo.com"> </iframe>


I have read this question, but I don't understand what they mean by add:

<?php
header('X-Frame-Options: GOFORIT');
?>


I tried to add this to the top of my html file(change it to php file, of course), and my php file became:

<?php
header('X-Frame-Options: GOFORIT');
?>
<iframe src="http://www.yahoo.com"> </iframe>


I run it in my appserv(with php 5.2.6), and it doesn't work. Could anybody explain what should I do exactly to overcome this?

I will add a 200 bounty for this problem after two days, and award it to the person who save me from the iframe hell. I promised.

Answer

You're out of luck: yahoo.com doesn't allow you to embed their site in an iframe. Nor does facebook or other popular sites.

The reason for this restriction is clickjacking.

You can verify this by checking the response headers from their site; they specify X-Frame-Options:SAMEORIGIN which means only yahoo.com can embed yahoo.com pages.

Some older browsers won't enforce the header but all new ones will. Afaik, there's no simple way around it.

The only solution I can think of is implementing a proxy script, i.e. you embed a script that lives on your server that fetches the remote content for you.

Eg. your iframe calls "/my-proxy.php?url=http://www.yahoo.com/" and that script would look like:

<?php

header('X-Frame-Options: SAMEORIGIN'); // don't allow other sites to use my proxy
echo file_get_contents($_GET['url']);

Your mileage may vary...