Form examples in examples/showcase #35

Open
pyjsorg opened this Issue Apr 27, 2012 · 1 comment

Comments

Projects
None yet
1 participant
Contributor

pyjsorg commented Apr 27, 2012

Someone a few years back showed how to do "click-jacking". Now, many sites, such as google, set a custom X-frame-options header to be only ORIGIN. This will not allow the html to be displayed in an iframe by browsers that respect that header. In short, for the showcase example, all of the forms use google search as an example.

There are many options to fix this:

  1. use a different url with a form that is static (url won't change, url will continue to exist, etc). and either set X-frame-options to allow embedding in an iframe, or don't even set the x-frame-options header.
  2. find a google url that allows embedding a search results page
  3. add some crud to the example to (if such a thing exists) add cruft to the returned google url to allow it to be embedded in an iframe (this is currently allowed, or was for google maps, but I haven't found the required option for google search results).

Comments

  • a standard google search sets x-frame-options to ORIGIN -- must respect this (well, browser does it for us).
  • google.com/custom fails with 403 if you specify a search via url (e.g. google.com/custom?q=red)
  • we could require one to start a simple http server to serve up a form (as is done by the jsonrpc example).

Original issue: http://code.google.com/p/pyjamas/issues/detail?id=688 (February 16, 2012 14:40:59)

Contributor

pyjsorg commented Apr 27, 2012

From Jeff.Van...@gmail.com on February 16, 2012 14:47:12:
Ok, submitting a google.com/custom search gives a 403 even if I use it (via Chrome) directly in the browser.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment