Google Not Reciprocating On IFrame Usage?

theodp writes "Over at the Google Web Search Community, posters are questioning why Google feels free to IFrame others' web pages, yet blocks attempts to IFrame pages on its own sites. 'Google has so much contradiction in what it wants for itself and what it does with other websites [e.g., Google frames Slashdot],' quipped one poster. 'Do no evil, right?' And over at the Google Maps Help Forum, developers are also begging for Google to allow them to IFrame entire pages again. 'I know there are other options (&embed etc.),' explains a poster, 'but then there is no sidebar which is useless. I really need the functionality like it was before.' Can any Googlers out there explain The Mystery of 'This content cannot be displayed in a frame'?"

XSRF

It's to prevent XF clickjacking, XSS and XSRF attacks. Please see recent web security papers. Many other major sites with valuable login credentials do the same thing.

Clickjacking

http://en.wikipedia.org/wiki/Clickjacking may be related.

WTF?

[Mathinker]

The summary seems to imply that Google has "magical powers" which enable it to block displaying its pages in IFrames, which no one else has?

The reality, AFAICT, is that everyone could block Google from displaying their pages in that way, also. They largely just don't (either want, bother or know how to do it), but I fail to see how that makes Google "evil".

Re:DRM for webpages

[rivetgeek]

Any person who modded this up needs a refresher in basic application security. The ability to iframe in a page allows for attacks like clickjacking.

use the APIs

[Gravis+Zero]

Google has lots of APIs to let you do most anything. If you need to embed an entire page from google then you are doing it wrong. This is a security issue and frankly I'm glad they are acting responsible.

DOING IT WRONG:

I am designing a web site and I wish to make extensive use of google.com via iframing.