Google Talk Badges vs X-Frame-Options
Posted by: Giorgio in Clickjacking, Google, Mozilla, NoScriptIf you can see my Google Talk Badge on the right, either you’re browsing with anything else than IE8/Chrome/Safari/Firefox+NoScript, or the issue we’re talking about has already been fixed by Google. Edit 7 Dec 2009: the issue has been fixed, so I’ve removed my badge to prevent a spam flood.
Otherwise, you’re getting an error page (hard to read, since it’s embedded in a tiny frame) — or a blank one if you’re on Chrome — because Google is sending down a X-Frame-Options HTTP header with value
, allowing only pages served from www.google.com to embed this badge.
Now, Google playing the early adopter of bleeding edge security technologies like
or STS, both in its browser and in its web properties, is really great because it speeds up their acceptance hugely, making the whole web safer. But if the service you’re offering is based on cross-site frames, you’d better keep them enabled ;-)
On a side note, users can easily disable NoScript’s implementation of
, if needed, via about:config preferences: either globally (noscript.frameOptions.enabled) or per-embedding-site (noscript.frameOptions.parentWhitelist). Don’t worry, ClearClick will still be watching your back…
December 2nd, 2009 at 11:28 pm
[…] original here: hackademix.net » Google Talk Badges vs X-Frame-Options By admin | category: google talk | tags: badge, been-fixed, google talk, google-otherwise, […]
December 3rd, 2009 at 12:05 am
Why would that frame need to be blocked from other sites? It’s supposed to be embedded.
December 3rd, 2009 at 12:40 am
@Ben L.:
In fact, the whole point is that it was an error…
December 3rd, 2009 at 10:40 am
Blocked ok in FF and IE8, but not in ThunderBird (RSS feed). Is NoScript available for ThunderBird ?
December 3rd, 2009 at 11:18 am
@Mark:
No, it’s not.
December 4th, 2009 at 12:30 pm
@ Giorgio:
Posts 4, 5, and 8 appear to be spam, as the sites are unrelated to security or to the Internet at all. Under "Options", they list:
# Related Blogs on Options
# hackademix.net » Google Talk Badges vs X-Frame-Options
# Options for Afghanistan, Pakistan | The Pakistani Spectator
# Midcourse Corrections » Blog Archive » 14 Online eCommunity …
# Glass City Jungle » Blog Archive » Ujvagi considering options for …
# Options for removing advertisements from a Ning site » Moving at …
So my question is, are they spamming you with link-spam, or are they doing you a favor by link-spamming your site on their own?
December 4th, 2009 at 12:35 pm
Post #9 went up while I was composing. Viral marketing for Hackademix? How clever!
Apparently, the first batch picked up the keyword, "Options", and Oprah picked up the keyword "talk".
* Related Blogs on Talk
* hackademix.net » Google Talk Badges vs X-Frame-Options
* Read Our Blueprints for World Cup 2010 Coverage, EPL Talk
* Google Becomes Talk Show Fodder : Beyond Search
These sites must be bombarded with links if their bots find such common terms, no?
December 4th, 2009 at 1:23 pm
@Tom T.:
Marked as spam. Notice that comments are autonumbered, therefore your numbers don’t make sense anymore.
January 17th, 2010 at 7:49 pm
Once again, NoScript saves the day :)