BBC and X-FRAME-ORIGIN HEADER
-
I am making a "scrapbook" application. The flow works like this:
- You do a search in the web app
- You click on the results. It loads the url into an iFrame.
- The user can select text (via some proxy iframe magic)
- They then add that to the subject scrapbook and it is added to the list of relevant searches for a particular "scrapbook".
I wanna use proxy iFrames so I can transfer data between their domain and mine via the web browser.
However some sites use X-Frame-Origin: sameorigin to stop click jacking. I am trying to detect that using a quick ajax request to see if that header is being sent and then use the web server as a proxy to display the page if the header is present. I cannot catch the exception via JS, so I have to do this "pre-request".
I primarily want to do it this way so I can save some bandwidth on the server as I would only need to proxy pages that are served using this header.
I use python's request library to mimick Chrome browsing the page.
- I send the same request headers as chrome, such as the user agent.
- I don't send cookie headers.
One of my test searches is the BBC and when inspecting the request in fiddler I see the header, when I use requests library in python and loop through the headers dict ... there is no X-Frame-Origin present. The reason I used the BBC is because their web tech is generally first class, so if I can make it work on their site I think it should work in the vast majority of cases.
So I guessed that the BBC had some better test than the User-Agent to find out if I was a real visitor. However when I proxy the page into an iFrame it displays just fine. So my hypothesis was incorrect.
Can someone be kind enough to have a look and see there is something obvious I am missing?
-
BUMP!
-
-
-
-
You're trying to run before you can walk you idiot. Read the manual!
-
-
-
@lucas1 No repro on bbc.com. I don't see any X-Frame headers being sent. Tried chrome dev tools and curl.
Note that I don't have any plan of attack or experience with this sort of stuff. I just wanted to see how this works and play with it a bit.
-
It is weird, it is only present when loading in the iFrame.
I have a few theories that I will try out this weekend.
