Slashdot Mirror
Google Not Reciprocating On IFrame Usage?
theodp writes "Over at the Google Web Search Community, posters are questioning why Google feels free to IFrame others' web pages, yet blocks attempts to IFrame pages on its own sites. 'Google has so much contradiction in what it wants for itself and what it does with other websites [e.g., Google frames Slashdot],' quipped one poster. 'Do no evil, right?' And over at the Google Maps Help Forum, developers are also begging for Google to allow them to IFrame entire pages again. 'I know there are other options (&embed etc.),' explains a poster, 'but then there is no sidebar which is useless. I really need the functionality like it was before.' Can any Googlers out there explain The Mystery of 'This content cannot be displayed in a frame'?"
It's to prevent XF clickjacking, XSS and XSRF attacks. Please see recent web security papers. Many other major sites with valuable login credentials do the same thing.
http://en.wikipedia.org/wiki/Clickjacking may be related.
'Clickjacking' UI-Redressing and assorted other attacks rely on framing the target page.
Get over it, it's a multi billion dollar multi national business. Not your local charity, nor grandma's coffee shop.
Those who cling to the "don't be evil" meme say more about themselves and their naiveté, than it does about Google.
Preventing other sites from displaying a page from within a frame is a common defense against a web application vulnerability known as Clickjacking.
google is evil.
For them it already is theirs.
As long as nobody clearly states that it isn't their data, they will treat it as theirs. And nobody is saying that the personal data belongs to the person, so companies can keep confusing you and telling that as soon as it is somehow online, it is not yours anymore.
Don't fight for your country, if your country does not fight for you.
The summary seems to imply that Google has "magical powers" which enable it to block displaying its pages in IFrames, which no one else has?
The reality, AFAICT, is that everyone could block Google from displaying their pages in that way, also. They largely just don't (either want, bother or know how to do it), but I fail to see how that makes Google "evil".
The threads you linked to have 18, 2, and no comments respectively.
While this is mildly interesting, it appears all the links you could find have trivial numbers of people participating.
Nobody cares, this is non-news. Oh wait, Google was mentioned?
There's even a comment about DRM! Everyone loves DRM articles!
Nevermind, proceed with the company-bashing.
Congratulations on spamming your private battle to thousands of people via Slashdot editors.
Any person who modded this up needs a refresher in basic application security. The ability to iframe in a page allows for attacks like clickjacking.
'Google has so much contradiction in what it wants for itself and what it does with other websites [e.g., Google frames Slashdot],' quipped one poster. 'Do no evil, right?'
I don't see the contradiction. Everyone is allowed to decide whether or not they allow their content to be displayed in iframes. If Google chooses no for itself but takes advantage of the fact that others have chosen yes, that is not hypocrisy. (If Google was forcing yes on others, the poster might have a point.)
There is plenty to complain about here, I'm sure, but that's not it.
They do it for security. It's OK if you don't understand it. You apparently don't like Google. That's OK as well. But neither is a good reason for posting hate-speech.
Couldn't you write a browser script that modifies JavaScript's window object and such to make frame-breaking impossible?
And if you were a browser developer, couldn't you restrict frame-breaking to pages within the same website?
For more examples, Google for 'This content cannot be displayed in a frame' google.
The dark side has it's own gravity.
Build your own energy sources from scratch. http://otherpower.com/
Showing a page in an IFRAME is really no different from viewing it in, say, an ad-supported webbrowser (like older versions of Opera).
Yes, it's quite different. It's same only if you have the habit of downloading random web browsers, the way you browse random web pages. You have to trust web browser much more than you have to trust a random web page, since web browser has access to everything you do online with it. Clickjacking, XSS & co are real.
So you are saying that clickjacking is OK as long as you are Google?
I can understand and agree with Google's approach to it, but it sure is a double standard. Google trusts itself not to abuse it. But what about the invasion of IP for revenue?
Frames are responsible for so many hidden viruses, exploits, and malware... Good riddance.
I'm an asshole.
X-FRAME-OPTIONS: DENY
(Filter error: Don't use so many caps)
There is *nothing* stopping anyone from implementing iframe-busting on their sites. It won't hurt their search ranking. They are merely showing that if a site is a large target for malicious scripts, it makes incredible sense to stop it from being ran in an iframe.
Google management is so desperate for growth, they will do anything to achieve it. The company is run by high-tech "mafiosos" who don't know how to make money except through advertising fed by intellectual property infringement and privacy invasion.
Google is an advertising company. Nearly all of their sites and services are focused to drive ad revenue.
Please note: 2011-Q3: Total Ad Revenue $9.335B (96%), Other Revenue $0.385M (4%)
Source: Google Financial Results
If Google did allow 3rd party frames of its websites, than that creates the situation that someone else can add their own advertising onto Google's pages/services, and prevents them from completing controlling the entire ad experience and ad revenue.
Personally I don't fault Google for this, since they are behaving exactly as one would expect from an advertising company. I think that other websites sites also need to use JavaScript and web tags to prevent Google using them in frames.
Google has lots of APIs to let you do most anything. If you need to embed an entire page from google then you are doing it wrong. This is a security issue and frankly I'm glad they are acting responsible.
DOING IT WRONG:
I am designing a web site and I wish to make extensive use of google.com via iframing.
Anons need not reply. Questions end with a question mark.
To follow up on my last post:
I wouldn't be unhappy to see property law evolve in the cloud era so that blocking a user from recovering those possessions in a reasonable process and time frame would constitute actual theft.
Property is a social construct and it changes as the embodiment of property changes (wives, children, slaves, agricultural boundaries, water, mineral rights, design, copyright, and in the ridiculous fullness of time as practiced by the legislature and legal profession ... personal cloudwares).
The fundamental problem here is that google's services are ones you'd expect a government to run. But of course, google is not the government and the free market model in which google operates does not force them to work as a government. In other words, they do not need to serve the needs of all of their clients, but instead, to make a profit, they need to serve the needs of most of their clients. And that's the fundamental problem, and it isn't going away until either the government takes over google, special regulations are put in place, or our market model is fundamentally changed. This whole iframe thing is just symptomatic of this problem.
If Pandora's box is destined to be opened, *I* want to be the one to open it.
Is this news? Google is an internet vampire. Vampires feel free to suck blood as they will but are usually a little more picky about their own life force.
They do it for security. It's OK if you don't understand it. You apparently don't like Google. That's OK as well. But neither is a good reason for posting hate-speech.
I think you're mistaken, Not liking something is the best reason for posting hate speech about it.
Google Search contains "potentially clickjackable" Google+ widgets, so it's protected by this header. Google Custom search doesn't have this problem, so it's easily embeddable.
http://www.google.com/custom
This is why the phrase "Don't be evil" never should have been associated with Google. It was basically a challenge to the world to find and shout about anything Google does which could be considered "immoral" (via an obvious association with the word "evil"). Since morality is different for different people, there will always be people feeling completely justified in saying "so now Google is evil. Ha!"
"Don't break the law" is a much better motto, imo.
Why isn't Usain Bolt isn't allowed to participate in the special olympics?
I hope all the non-google people now "retaliate" by blocking frames too, with X-Frame-Options on the server. Then we can be free of frames.
You can ask them to give you your money back if you are not satisfied.
You mean the one standard where Slashdot picks on everything Apple does?
...what? How the hell do you even come to that conclusion?
iframing a website doesn't automatically make you a clickjacker, but google owes it to its users to prevent that possibility from others who would abuse it.
I found it interesting a couple months back when YouTube changed to using iframes by default for their embed code.
You can check 'use old embed code' to use the original object code, but I haven't seen anyone do this since they made the change.
I was massively surprised when they made this move because of the security side of things; I'm completely unsurprised that they're blocking iframes, but I'm just as surprised they're using them by default in Youtube.
I'm not a Web standards maven, but I thought that whereever iframes originally came from, they were now a completely legitimate part of the W3C HTML standard. If so, then they ought to work with anything. The description in the HTML 4.01 standard seems to be here, and as a non-language-lawyer it seems to me that it is supposed to work unless your "user agent" (browser) does not support frames.
If Google is intentionally doing something makes properly formed, Web-standard HTML not work properly, then shame on them. This isn't a question of "reciprocating" or "not reciprocating," it's a question of following Web standards or not. It's bad enough when a company is just too lazy or careless to follow them, but if a company intentionally makes proper HTML not work, I think that qualifies as "evil."
"How to Do Nothing," kids activities, back in print!
And if you were a browser developer, couldn't you restrict frame-breaking to pages within the same website?
Browser developers would be more likely to restrict framing itself to documents within the same origin.
What's wrong with writing the proxy, as you suggested? Is it that you'd run into rate limits per IP address that are far too low for a site that gets as much traffic as you reasonably plan to get?
When translating from Chinese to English at http://www.mdbg.net/chindict/chindict.php?page=translate , the explanation is money.
October 14, 2011
Please note: This only affects the translation of text from Chinese to English and vice versa. The functionality to look up individual words or the dictionary definitions of any Chinese word in a text remains unchanged!
The translation page of this website uses (now and before) Google Translate to perform text translation. Google recently changed their previously freely available website integration APIs to a paid service. This has forced us to change the way translation results are presented.
from http://www.mdbg.net/chindict/chindict.php?page=20111014_newtranslatepage
I actually don't even know what iframes are, but this seems related. All I know is that the translations are full of google, and that two weeks ago they weren't. You need to paste or write some Chinese text in the box and click go to see the new output. Of course it won't mean as much if you never saw the old output without the word google plastered all over it.
Stop misquoting. These are hugely different slogans. A non-evil person can do evil, and it does not make him evil.
There is NOTHING on google you need to be using an iframe for. NOTHING! And they are right for blocking you from doing it.
I agree.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
at school, they proxy through EMBC, who block stuff. If they want to block something themselves, at one time they had an inhouse smoothwall (dansguardian/squid) server, but they now block it by using the remote administration tool, by looking at the window title. eg notdoppler.com, which is unblocked at school, is closed automatically when a window with 'notdoppler' in it opens. I used to have a HTML page in my documents with 2 frames, a 1 pixel blank one, and Google. Now since google blocks frames (it seems to be IE that complies with that request, and I can't use Firefox, as since they upgraded to Windows 7 you can't run EXE's of removable media) so I have to put in the URL in the source directly everytime. I hope no more sites doing this, or since as I said it seems to be IE that complies with that request to block framed Google, I find a way to override this 'safety'
I hate it when websites filter by referrer and claim you are stealing their bandwidth. Really? It's just a hyperlink. If you're going to complain don't put it on the web! I use a Firefox add-on to spoof the referrer, to the wikipedia article on referrer spoofing, and sometimes sites claim I'm stealing their bandwidth, and recaptcha doesn't work, but luckily the extension has an exceptions list
*cough* Google's YouTube switched to iframe embedding to allow HTML5 video http://apiblog.youtube.com/2010/07/new-way-to-embed-youtube-videos.html *cough*
I see a web API that uses JSON (as opposed to JSONP) as an implicit statement that the API is intended for server-to-server communication, as opposed to communication directly with a user agent. If Google disagrees, consider it the same as discontinuing the service, which I'm pretty sure the TOS says Google can do at any time for any reason. If you think this is something Google is likely to disable for you specifically before it discontinues the service for the world, is it that the API allows the server to access a user's private information?