If you can see my Google Talk Badge on the right, either you're browsing with anything else than IE8/Chrome/Safari/Firefox+NoScript, or the issue we're talking about has already been fixed by Google. Edit 7 Dec 2009: the issue has been fixed, so I've removed my badge to prevent a spam flood.

Otherwise, you're getting an error page (hard to read, since it's embedded in a tiny frame) -- or a blank one if you're on Chrome -- because Google is sending down a X-Frame-Options HTTP header with value

SAMEORIGIN

, allowing only pages served from www.google.com to embed this badge.

Now, Google playing the early adopter of bleeding edge security technologies like

X-Frame-Options

or STS, both in its browser and in its web properties, is really great because it speeds up their acceptance hugely, making the whole web safer. But if the service you're offering is based on cross-site frames, you'd better keep them enabled ;-)

On a side note, users can easily disable NoScript's implementation of

X-Frame-Options

, if needed, via about:config preferences: either globally (noscript.frameOptions.enabled) or per-embedding-site (noscript.frameOptions.parentWhitelist). Don't worry, ClearClick will still be watching your back...

9 Responses to “Google Talk Badges vs X-Frame-Options”

  1. #1 hackademix.net » Google Talk Badges vs X-Frame-Options Google Price says:

    [...] original here:  hackademix.net » Google Talk Badges vs X-Frame-Options By admin | category: google talk | tags: badge, been-fixed, google talk, google-otherwise, [...]

  2. #2 Ben L. says:

    Why would that frame need to be blocked from other sites? It's supposed to be embedded.

  3. #3 Giorgio says:

    @Ben L.:
    In fact, the whole point is that it was an error...

  4. #4 Mark says:

    Blocked ok in FF and IE8, but not in ThunderBird (RSS feed). Is NoScript available for ThunderBird ?

  5. #5 Giorgio says:

    @Mark:
    No, it's not.

  6. #6 Tom T. says:

    @ Giorgio:

    Posts 4, 5, and 8 appear to be spam, as the sites are unrelated to security or to the Internet at all. Under "Options", they list:

    # Related Blogs on Options
    # hackademix.net » Google Talk Badges vs X-Frame-Options
    # Options for Afghanistan, Pakistan | The Pakistani Spectator
    # Midcourse Corrections » Blog Archive » 14 Online eCommunity …
    # Glass City Jungle » Blog Archive » Ujvagi considering options for …
    # Options for removing advertisements from a Ning site » Moving at …

    So my question is, are they spamming you with link-spam, or are they doing you a favor by link-spamming your site on their own?

  7. #7 Tom T. says:

    Post #9 went up while I was composing. Viral marketing for Hackademix? How clever!

    Apparently, the first batch picked up the keyword, "Options", and Oprah picked up the keyword "talk".

    * Related Blogs on Talk
    * hackademix.net » Google Talk Badges vs X-Frame-Options
    * Read Our Blueprints for World Cup 2010 Coverage, EPL Talk
    * Google Becomes Talk Show Fodder : Beyond Search

    These sites must be bombarded with links if their bots find such common terms, no?

  8. #8 Giorgio says:

    @Tom T.:
    Marked as spam. Notice that comments are autonumbered, therefore your numbers don't make sense anymore.

  9. #9 Aimbot Download says:

    Once again, NoScript saves the day :)

Bad Behavior has blocked 786 access attempts in the last 7 days.