pyjs / pyjs

Pyjs canonical sources. Start here!
http://pyjs.org/
Apache License 2.0
1.14k stars 214 forks source link

Form examples in examples/showcase #35

Open pyjsorg opened 12 years ago

pyjsorg commented 12 years ago

Someone a few years back showed how to do "click-jacking". Now, many sites, such as google, set a custom X-frame-options header to be only ORIGIN. This will not allow the html to be displayed in an iframe by browsers that respect that header. In short, for the showcase example, all of the forms use google search as an example.

There are many options to fix this: 1) use a different url with a form that is static (url won't change, url will continue to exist, etc). and either set X-frame-options to allow embedding in an iframe, or don't even set the x-frame-options header. 2) find a google url that allows embedding a search results page 3) add some crud to the example to (if such a thing exists) add cruft to the returned google url to allow it to be embedded in an iframe (this is currently allowed, or was for google maps, but I haven't found the required option for google search results).

Comments

Original issue: http://code.google.com/p/pyjamas/issues/detail?id=688 (February 16, 2012 14:40:59)

pyjsorg commented 12 years ago

From Jeff.Van...@gmail.com on February 16, 2012 14:47:12: Ok, submitting a google.com/custom search gives a 403 even if I use it (via Chrome) directly in the browser.