Slashdot Mirror
Google Not Reciprocating On IFrame Usage?
theodp writes "Over at the Google Web Search Community, posters are questioning why Google feels free to IFrame others' web pages, yet blocks attempts to IFrame pages on its own sites. 'Google has so much contradiction in what it wants for itself and what it does with other websites [e.g., Google frames Slashdot],' quipped one poster. 'Do no evil, right?' And over at the Google Maps Help Forum, developers are also begging for Google to allow them to IFrame entire pages again. 'I know there are other options (&embed etc.),' explains a poster, 'but then there is no sidebar which is useless. I really need the functionality like it was before.' Can any Googlers out there explain The Mystery of 'This content cannot be displayed in a frame'?"
It's to prevent XF clickjacking, XSS and XSRF attacks. Please see recent web security papers. Many other major sites with valuable login credentials do the same thing.
http://en.wikipedia.org/wiki/Clickjacking may be related.
'Clickjacking' UI-Redressing and assorted other attacks rely on framing the target page.
Get over it, it's a multi billion dollar multi national business. Not your local charity, nor grandma's coffee shop.
Those who cling to the "don't be evil" meme say more about themselves and their naiveté, than it does about Google.
Preventing other sites from displaying a page from within a frame is a common defense against a web application vulnerability known as Clickjacking.
For them it already is theirs.
As long as nobody clearly states that it isn't their data, they will treat it as theirs. And nobody is saying that the personal data belongs to the person, so companies can keep confusing you and telling that as soon as it is somehow online, it is not yours anymore.
Don't fight for your country, if your country does not fight for you.
The summary seems to imply that Google has "magical powers" which enable it to block displaying its pages in IFrames, which no one else has?
The reality, AFAICT, is that everyone could block Google from displaying their pages in that way, also. They largely just don't (either want, bother or know how to do it), but I fail to see how that makes Google "evil".
The threads you linked to have 18, 2, and no comments respectively.
While this is mildly interesting, it appears all the links you could find have trivial numbers of people participating.
Nobody cares, this is non-news. Oh wait, Google was mentioned?
There's even a comment about DRM! Everyone loves DRM articles!
Nevermind, proceed with the company-bashing.
Congratulations on spamming your private battle to thousands of people via Slashdot editors.
Any person who modded this up needs a refresher in basic application security. The ability to iframe in a page allows for attacks like clickjacking.
'Google has so much contradiction in what it wants for itself and what it does with other websites [e.g., Google frames Slashdot],' quipped one poster. 'Do no evil, right?'
I don't see the contradiction. Everyone is allowed to decide whether or not they allow their content to be displayed in iframes. If Google chooses no for itself but takes advantage of the fact that others have chosen yes, that is not hypocrisy. (If Google was forcing yes on others, the poster might have a point.)
There is plenty to complain about here, I'm sure, but that's not it.
They do it for security. It's OK if you don't understand it. You apparently don't like Google. That's OK as well. But neither is a good reason for posting hate-speech.
Couldn't you write a browser script that modifies JavaScript's window object and such to make frame-breaking impossible?
And if you were a browser developer, couldn't you restrict frame-breaking to pages within the same website?
For more examples, Google for 'This content cannot be displayed in a frame' google.
The dark side has it's own gravity.
Build your own energy sources from scratch. http://otherpower.com/
Showing a page in an IFRAME is really no different from viewing it in, say, an ad-supported webbrowser (like older versions of Opera).
Yes, it's quite different. It's same only if you have the habit of downloading random web browsers, the way you browse random web pages. You have to trust web browser much more than you have to trust a random web page, since web browser has access to everything you do online with it. Clickjacking, XSS & co are real.
There is *nothing* stopping anyone from implementing iframe-busting on their sites. It won't hurt their search ranking. They are merely showing that if a site is a large target for malicious scripts, it makes incredible sense to stop it from being ran in an iframe.
Google is an advertising company. Nearly all of their sites and services are focused to drive ad revenue.
Please note: 2011-Q3: Total Ad Revenue $9.335B (96%), Other Revenue $0.385M (4%)
Source: Google Financial Results
If Google did allow 3rd party frames of its websites, than that creates the situation that someone else can add their own advertising onto Google's pages/services, and prevents them from completing controlling the entire ad experience and ad revenue.
Personally I don't fault Google for this, since they are behaving exactly as one would expect from an advertising company. I think that other websites sites also need to use JavaScript and web tags to prevent Google using them in frames.
Google has lots of APIs to let you do most anything. If you need to embed an entire page from google then you are doing it wrong. This is a security issue and frankly I'm glad they are acting responsible.
DOING IT WRONG:
I am designing a web site and I wish to make extensive use of google.com via iframing.
Anons need not reply. Questions end with a question mark.
To follow up on my last post:
I wouldn't be unhappy to see property law evolve in the cloud era so that blocking a user from recovering those possessions in a reasonable process and time frame would constitute actual theft.
Property is a social construct and it changes as the embodiment of property changes (wives, children, slaves, agricultural boundaries, water, mineral rights, design, copyright, and in the ridiculous fullness of time as practiced by the legislature and legal profession ... personal cloudwares).
The fundamental problem here is that google's services are ones you'd expect a government to run. But of course, google is not the government and the free market model in which google operates does not force them to work as a government. In other words, they do not need to serve the needs of all of their clients, but instead, to make a profit, they need to serve the needs of most of their clients. And that's the fundamental problem, and it isn't going away until either the government takes over google, special regulations are put in place, or our market model is fundamentally changed. This whole iframe thing is just symptomatic of this problem.
If Pandora's box is destined to be opened, *I* want to be the one to open it.
You can ask them to give you your money back if you are not satisfied.
Don't break the law complete defeats the purpose of a motto. The idea of having and sharing the "don't be evil" motto is to show intent to be good citizens beyond simple regulatory requirements to abide by the rules the state hands down. Everything else you say is true it will be used against them but they believe, wrongly or rightly, that it is important to show intent to act in a moral/ethical way beyond what is simply required of them. This may just be simple advertising or it may be a genuine belief that this type of corporate cultural artifact is vital to being the company they want to be but either way it's not as simple as don't do things that can be used against you because it's not a simple tactics exercise but a philosophical one instead.
...what? How the hell do you even come to that conclusion?
iframing a website doesn't automatically make you a clickjacker, but google owes it to its users to prevent that possibility from others who would abuse it.
I found it interesting a couple months back when YouTube changed to using iframes by default for their embed code.
You can check 'use old embed code' to use the original object code, but I haven't seen anyone do this since they made the change.
I was massively surprised when they made this move because of the security side of things; I'm completely unsurprised that they're blocking iframes, but I'm just as surprised they're using them by default in Youtube.
I'm not a Web standards maven, but I thought that whereever iframes originally came from, they were now a completely legitimate part of the W3C HTML standard. If so, then they ought to work with anything. The description in the HTML 4.01 standard seems to be here, and as a non-language-lawyer it seems to me that it is supposed to work unless your "user agent" (browser) does not support frames.
If Google is intentionally doing something makes properly formed, Web-standard HTML not work properly, then shame on them. This isn't a question of "reciprocating" or "not reciprocating," it's a question of following Web standards or not. It's bad enough when a company is just too lazy or careless to follow them, but if a company intentionally makes proper HTML not work, I think that qualifies as "evil."
"How to Do Nothing," kids activities, back in print!
Wow, you just used the Cultural Differences argument as if it is the only possibility in ethics. The Cultural Differences argument and Cultural Relativity in general is based on flawed logic. And besides that, there are other alternative philosophical theories. One is that the perception of morality is different for different people, but that the truth of morality is set in stone like the other constants that govern physics and chemistry. There are other philosophical arguments as well. But if you are going to use one, at least don't make it sound like its a fact of life or something when it is not.
And if you were a browser developer, couldn't you restrict frame-breaking to pages within the same website?
Browser developers would be more likely to restrict framing itself to documents within the same origin.
What's wrong with writing the proxy, as you suggested? Is it that you'd run into rate limits per IP address that are far too low for a site that gets as much traffic as you reasonably plan to get?
Stop misquoting. These are hugely different slogans. A non-evil person can do evil, and it does not make him evil.
I agree.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
at school, they proxy through EMBC, who block stuff. If they want to block something themselves, at one time they had an inhouse smoothwall (dansguardian/squid) server, but they now block it by using the remote administration tool, by looking at the window title. eg notdoppler.com, which is unblocked at school, is closed automatically when a window with 'notdoppler' in it opens. I used to have a HTML page in my documents with 2 frames, a 1 pixel blank one, and Google. Now since google blocks frames (it seems to be IE that complies with that request, and I can't use Firefox, as since they upgraded to Windows 7 you can't run EXE's of removable media) so I have to put in the URL in the source directly everytime. I hope no more sites doing this, or since as I said it seems to be IE that complies with that request to block framed Google, I find a way to override this 'safety'
I hate it when websites filter by referrer and claim you are stealing their bandwidth. Really? It's just a hyperlink. If you're going to complain don't put it on the web! I use a Firefox add-on to spoof the referrer, to the wikipedia article on referrer spoofing, and sometimes sites claim I'm stealing their bandwidth, and recaptcha doesn't work, but luckily the extension has an exceptions list
I see a web API that uses JSON (as opposed to JSONP) as an implicit statement that the API is intended for server-to-server communication, as opposed to communication directly with a user agent. If Google disagrees, consider it the same as discontinuing the service, which I'm pretty sure the TOS says Google can do at any time for any reason. If you think this is something Google is likely to disable for you specifically before it discontinues the service for the world, is it that the API allows the server to access a user's private information?