Form examples in examples/showcase

[pyjsorg]

Someone a few years back showed how to do "click-jacking". Now, many sites, such as google, set a custom X-frame-options header to be only ORIGIN. This will not allow the html to be displayed in an iframe by browsers that respect that header. In short, for the showcase example, all of the forms use google search as an example.

There are many options to fix this: 1) use a different url with a form that is static (url won't change, url will continue to exist, etc). and either set X-frame-options to allow embedding in an iframe, or don't even set the x-frame-options header. 2) find a google url that allows embedding a search results page 3) add some crud to the example to (if such a thing exists) add cruft to the returned google url to allow it to be embedded in an iframe (this is currently allowed, or was for google maps, but I haven't found the required option for google search results).

Comments

• a standard google search sets x-frame-options to ORIGIN -- must respect this (well, browser does it for us).
• google.com/custom fails with 403 if you specify a search via url (e.g. google.com/custom?q=red)
• we could require one to start a simple http server to serve up a form (as is done by the jsonrpc example).

Original issue: http://code.google.com/p/pyjamas/issues/detail?id=688 (February 16, 2012 14:40:59)

[pyjsorg]

From Jeff.Van...@gmail.com on February 16, 2012 14:47:12: Ok, submitting a google.com/custom search gives a 403 even if I use it (via Chrome) directly in the browser.