Archive for December 2nd, 2009

If you can see my Google Talk Badge on the right, either you're browsing with anything else than IE8/Chrome/Safari/Firefox+NoScript, or the issue we're talking about has already been fixed by Google. Edit 7 Dec 2009: the issue has been fixed, so I've removed my badge to prevent a spam flood.

Otherwise, you're getting an error page (hard to read, since it's embedded in a tiny frame) -- or a blank one if you're on Chrome -- because Google is sending down a X-Frame-Options HTTP header with value

SAMEORIGIN

, allowing only pages served from www.google.com to embed this badge.

Now, Google playing the early adopter of bleeding edge security technologies like

X-Frame-Options

or STS, both in its browser and in its web properties, is really great because it speeds up their acceptance hugely, making the whole web safer. But if the service you're offering is based on cross-site frames, you'd better keep them enabled ;-)

On a side note, users can easily disable NoScript's implementation of

X-Frame-Options

, if needed, via about:config preferences: either globally (noscript.frameOptions.enabled) or per-embedding-site (noscript.frameOptions.parentWhitelist). Don't worry, ClearClick will still be watching your back...

Bad Behavior has blocked 3531 access attempts in the last 7 days.