Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
There's a security reason why you use X-Frame-Options to forbid other sites to iframe your site, that being clickjack attacks:
https://troyhunt.com/clickjack-atta... -
@Fast-Nop One can write an "embedding area" (like YouTube did) where the possibility of clickjacking does not benefit the attack.
-
@sbiewald YT is an exception because videos are not an actual UI anyway.
Otherwise, there's usually no reason why you would even want a third party site to iframe your content instead of setting a hyperlink.
I set both X-Frame-Options and the frame-ancestors part of my Content Security Policy to prevent such third party iframing.
What only relying on JavaScript for HTML form input validation looks like
Found something true as 1 == 1
Fuck social media websites that don't allow you to embed their content with a simple iframe
Good example 👍 :
<iframe src="https://youtube.com/embed/..." allow="..." allowfullscreen></iframe>
Bad example 👎:
<blockquote class="reddit-card" ...><a href="https://www.reddit.com/r/.../...">...</a></blockquote>
<script async src="//embed.redditmedia.com/widgets/platform.js"></script>
NO I DON'T WANT TO RUN YOUR 100kb JAVASCRIPT FILE WITH FULL PERMISSIONS ON MY WEBSITE JUST TO DISPLAY 1 SENTENCE AND 1 IMAGE. WHO KNOWS WHAT OTHER NASTY THINGS IT MIGHT LOAD IN IN THE FUTURE.
With an iframe it's at least somewhat contained.
rant
js
iframe
embed