BBC and X-FRAME-ORIGIN HEADER



  • I am making a "scrapbook" application. The flow works like this:

    • You do a search in the web app
    • You click on the results. It loads the url into an iFrame.
    • The user can select text (via some proxy iframe magic)
    • They then add that to the subject scrapbook and it is added to the list of relevant searches for a particular "scrapbook".

    I wanna use proxy iFrames so I can transfer data between their domain and mine via the web browser.

    However some sites use X-Frame-Origin: sameorigin to stop click jacking. I am trying to detect that using a quick ajax request to see if that header is being sent and then use the web server as a proxy to display the page if the header is present. I cannot catch the exception via JS, so I have to do this "pre-request".

    I primarily want to do it this way so I can save some bandwidth on the server as I would only need to proxy pages that are served using this header.

    I use python's request library to mimick Chrome browsing the page.

    • I send the same request headers as chrome, such as the user agent.
    • I don't send cookie headers.

    One of my test searches is the BBC and when inspecting the request in fiddler I see the header, when I use requests library in python and loop through the headers dict ... there is no X-Frame-Origin present. The reason I used the BBC is because their web tech is generally first class, so if I can make it work on their site I think it should work in the vast majority of cases.

    So I guessed that the BBC had some better test than the User-Agent to find out if I was a real visitor. However when I proxy the page into an iFrame it displays just fine. So my hypothesis was incorrect.

    Can someone be kind enough to have a look and see there is something obvious I am missing?



  • BUMP!



  • bump


  • Discourse touched me in a no-no place


  • Discourse touched me in a no-no place


  • Winner of the 2016 Presidential Election

    You're trying to run before you can walk you idiot. Read the manual!



  • @Jaloopa said:

    You're trying to run before you can walk you idiot. Read the manual!

    Seriously?





  • @lucas1 No repro on bbc.com. I don't see any X-Frame headers being sent. Tried chrome dev tools and curl.

    Note that I don't have any plan of attack or experience with this sort of stuff. I just wanted to see how this works and play with it a bit.



  • It is weird, it is only present when loading in the iFrame.

    I have a few theories that I will try out this weekend.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.