Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Not Reciprocating On IFrame Usage?

timothy posted more than 2 years ago | from the embedded-wars dept.

Google 115

theodp writes "Over at the Google Web Search Community, posters are questioning why Google feels free to IFrame others' web pages, yet blocks attempts to IFrame pages on its own sites. 'Google has so much contradiction in what it wants for itself and what it does with other websites [e.g., Google frames Slashdot],' quipped one poster. 'Do no evil, right?' And over at the Google Maps Help Forum, developers are also begging for Google to allow them to IFrame entire pages again. 'I know there are other options (&embed etc.),' explains a poster, 'but then there is no sidebar which is useless. I really need the functionality like it was before.' Can any Googlers out there explain The Mystery of 'This content cannot be displayed in a frame'?"

cancel ×

115 comments

Sorry! There are no comments related to the filter you selected.

Text goes here (-1, Offtopic)

fotoguzzi (230256) | more than 2 years ago | (#37811592)

First IFramed post!

Re:Text goes here (-1)

Anonymous Coward | more than 2 years ago | (#37811718)

What I want to know is why Slashdot has one standard for Apple and other for everybody else?

Re:Text goes here (0)

Anonymous Coward | more than 2 years ago | (#37812362)

Why isn't Usain Bolt isn't allowed to participate in the special olympics?

Re:Text goes here (0)

Anonymous Coward | more than 2 years ago | (#37812464)

You mean the one standard where Slashdot picks on everything Apple does?

Re:Text goes here (1)

heinousjay (683506) | more than 2 years ago | (#37812496)

The truth is simple: there is no homogenous Slashdot standard. This isn't a hivemind, it's a forum.

Re:Text goes here (2)

Hognoxious (631665) | more than 2 years ago | (#37814908)

This isn't a hivemind, it's a forum.

I agree.

XSRF (5, Informative)

Anonymous Coward | more than 2 years ago | (#37811602)

It's to prevent XF clickjacking, XSS and XSRF attacks. Please see recent web security papers. Many other major sites with valuable login credentials do the same thing.

Re:XSRF (0)

Anonymous Coward | more than 2 years ago | (#37811712)

This. Allowing other pages to embed your full page in an iframe is borderline negligent. It sucks Google has to make things harder for third party developers, but the Internet isn't exactly Hello Kitty Island.

Re:XSRF (-1, Flamebait)

E IS mC(Square) (721736) | more than 2 years ago | (#37811738)

No. The real reason Google is doing all the Evil in the world now because Steve Dead Jobs said so. This is just another shill post on Google here, one of many I have seen in last few days.

Re:XSRF (0)

Samantha Wright (1324923) | more than 2 years ago | (#37811962)

No. The real reason Oracle is doing all the Evil in the world now because Bill Dead Gates said so. This is just another shill post on Oracle here, one of many I have seen in last few days.

Re:XSRF (1)

hairyfeet (841228) | more than 2 years ago | (#37812274)

Bets on how long until they are busted for antitrust? although frankly after Intel got away with bribery AND compiler rigging (which they are still doing BTW) frankly I think our DoJ is as worthless as tits on a boar hog.

But between double standards for themselves and the rumor they are looking at buying Yahoo [yahoo.com] which would give them pretty much the entire webmail market (FYI Yahoo email has over 300 million unique users, about double what Gmail has in the US as well, its the one thing Yahoo is #1 on) frankly Google is starting to scare me. they have more info on everyone than most spook factories could ever dream of, thanks to their tax dodging they have huge amounts of capital they can wave around, and frankly their RDF makes the one the late Jobs had look like a tinker toy.

Frankly apple? Really doesn't scare me. Their desire for crazy high margins makes sure they stay at the top end and never really venture below the mid to high price range but Google? Android is showing up on everything from low rent tablets and TVs to the latest high end stuff, all that data...yeah MSFT will end up IBM, big in business but not really going much past their core markets, Apple will continue to be the boutique high end brand, but Google could easily become another "ultrasupermegacorp' like MSFT was in the 90s and we all know how nice they turned out to be for competition. Ballmer can throw chairs and want to fucking kill Google but Google is the 8000 pound gorilla and can fucking kill anybody it wants now. that much power in ANY hands i find a little scary.

Re:XSRF (2)

PopeRatzo (965947) | more than 2 years ago | (#37813750)

The real reason Google is doing all the Evil in the world now because Steve Dead Jobs said so.

Just so everyone knows, I've got a copyright AND patent on the Zombie Steve Jobs halloween costume.

I tried to trademark Zombie Steve Jobs, but Apple already did that sometime in 2007. Being a step ahead of everyone else is part of their corporate culture.

Re:XSRF (1)

moderatorrater (1095745) | more than 2 years ago | (#37811728)

Exactly. I'm over security for part of a fairly major website and our customers are starting to get after us for not disallowing iframes of our site.

Keep your motto amoral (0)

Anonymous Coward | more than 2 years ago | (#37812332)

This is why the phrase "Don't be evil" never should have been associated with Google. It was basically a challenge to the world to find and shout about anything Google does which could be considered "immoral" (via an obvious association with the word "evil"). Since morality is different for different people, there will always be people feeling completely justified in saying "so now Google is evil. Ha!"

"Don't break the law" is a much better motto, imo.

Re:Keep your motto amoral (2, Insightful)

Anonymous Coward | more than 2 years ago | (#37812532)

Don't break the law complete defeats the purpose of a motto. The idea of having and sharing the "don't be evil" motto is to show intent to be good citizens beyond simple regulatory requirements to abide by the rules the state hands down. Everything else you say is true it will be used against them but they believe, wrongly or rightly, that it is important to show intent to act in a moral/ethical way beyond what is simply required of them. This may just be simple advertising or it may be a genuine belief that this type of corporate cultural artifact is vital to being the company they want to be but either way it's not as simple as don't do things that can be used against you because it's not a simple tactics exercise but a philosophical one instead.

Re:Keep your motto amoral (1)

utkonos (2104836) | more than 2 years ago | (#37813152)

Wow, you just used the Cultural Differences argument as if it is the only possibility in ethics. The Cultural Differences argument and Cultural Relativity in general is based on flawed logic. And besides that, there are other alternative philosophical theories. One is that the perception of morality is different for different people, but that the truth of morality is set in stone like the other constants that govern physics and chemistry. There are other philosophical arguments as well. But if you are going to use one, at least don't make it sound like its a fact of life or something when it is not.

Re:XSRF (2)

msobkow (48369) | more than 2 years ago | (#37814484)

People have been demanding that security holes be plugged, including these web attacks.

Now they're complaining that Google fixed the problem.

Hopefully they'll stop screaming about Google taking over the world long enough to hear that it's a security fix. Sometimes fixes break existing code.

Clickjacking (4, Informative)

Anonymous Coward | more than 2 years ago | (#37811614)

http://en.wikipedia.org/wiki/Clickjacking may be related.

Security (1)

Anonymous Coward | more than 2 years ago | (#37811618)

'Clickjacking' UI-Redressing and assorted other attacks rely on framing the target page.

It's a business (1, Troll)

ex-googler (2090078) | more than 2 years ago | (#37811620)

Get over it, it's a multi billion dollar multi national business. Not your local charity, nor grandma's coffee shop.

Those who cling to the "don't be evil" meme say more about themselves and their naiveté, than it does about Google.

Re:It's a business (2)

luke923 (778953) | more than 2 years ago | (#37811804)

I think the reason people are upset that Google isn't living up to their own mantra of "Don't be evil" is the fact that they fail to meet the standard they set for themselves. On the other hand, if Google had the phrase, "Let's make lots of money off of others' content and technology," then no one would be upset with some of Google's questionable tactics. It goes back to basic symbolic logic p=>q. If p is false, no matter what q is, the statement is true; however, if p is true and q is false, the whole statement is false. In other words, if Google never implied that they were never gonna be evil, they would be logically consistent, but since they tried to make that implication and failed, people that care about such things are thusly upset.

Re:It's a business (1)

hedwards (940851) | more than 2 years ago | (#37811842)

That's only true if q and only q follows from p. If there is any time when q doesn't logically follow from p then the whole thing breaks down immediately.

In this case there is the alternate explanation that Google is now defaulting to SSL for it's searches and perhaps they don't want to be a party to clickjacking and various other hijinks that could result.

Re:It's a business (1, Insightful)

dave420 (699308) | more than 2 years ago | (#37811844)

Hint: There is a perfectly reasonable technical explanation for Google not allowing other sites to host their sites in iframes. Think about it for a minute. Seriously. It's rather easy to figure out. "Good" and "Evil" don't even feature in their reasoning.

Re:It's a business (2)

epine (68316) | more than 2 years ago | (#37811908)

Google's motto is "Let's make lots of money off of others' content and technology". Did anyone ever doubt that? It goes without saying.

Where Google comes close to evil is booting people off the Google services without making it possible for the booted user to collect his or her belongings before the door slams their ass. There's effectively no recourse if Google makes an error in their determination. I think this pushes fairly deep into caprice, and with no real upside that I can see. At least your jilted GF has the decency to pitch your possessions out the window. It can't be that hard for Google to implement a "data export only" authentication level.

The problem with inference from evil is that first you need to define evil, and if you elect to paint evil as "everything you don't approve of" you're left pretty much speechless by some of the things other companies do, if you're paying attention.

property law in the cloud era (2)

epine (68316) | more than 2 years ago | (#37811994)

To follow up on my last post:

I wouldn't be unhappy to see property law evolve in the cloud era so that blocking a user from recovering those possessions in a reasonable process and time frame would constitute actual theft.

Property is a social construct and it changes as the embodiment of property changes (wives, children, slaves, agricultural boundaries, water, mineral rights, design, copyright, and in the ridiculous fullness of time as practiced by the legislature and legal profession ... personal cloudwares).

Re:It's a business (0)

Anonymous Coward | more than 2 years ago | (#37812402)

At this point, Google and Facebook are effectively in the race for who can become the digital rebirth of the former Soviet Union. They want everyone's information, to arrange as they see fit and make money off of it. They also want to mess around with people's privacy until the end result is everything is fully open to the public.

The funny thing is, the quickest way to shut them both down is simply not to use them. If they can't make money off the content they try to archive or scrape from the web, inevitably, they'll shut down and go away.

I block Google anything (*.google.com, *.google-syndication.com, *.googlesyndication.com, *.googleadsyndication.com, *.gstatic.com, *.googleusercontent.com, *.doubleclick.com, *.blogger.com, *.blogspot.com, *.picasa.com, *.youtube.com... and the same domains for .net and .org just in case they use a secondary domain) and I don't ever search Google until after I've tried Bing, Blekko, DuckDuckGo, and Gigablast.

(I also block *.facebook.com, *.fbcdn.com, *.fbkcdn.com, *.opengraphprotocal.com, *.opengraph.com... and the associated .net and .org extensions as well.)

Google alienated me once already, and those information hungry vultures who are all too willing to open up information to ruin people's lives whenever possible won't ever get a second chance from me ever again.

Re:It's a business (1)

crutchy (1949900) | more than 2 years ago | (#37811996)

On SEO pages there shouldn't be any reason to bitch as Google is doing you a service (exposing your site to potential customers). On intranet pages or pages requiring credentials to access, just ban any user agent with "google", "facebook", "bot", etc. That's what I do and I think it would be prudent for any other corporate website management.

DRM for webpages (-1)

mmcuh (1088773) | more than 2 years ago | (#37811644)

Showing a page in an IFRAME is really no different from viewing it in, say, an ad-supported webbrowser (like older versions of Opera). There is no reason to try to stop it other than being an asshole. It's like DRM for webpages - you may only view this page in the way we tell you to!

ALL YOUR document.window ARE BELONG TO US!!!

Re:DRM for webpages (4, Informative)

rivetgeek (977479) | more than 2 years ago | (#37811750)

Any person who modded this up needs a refresher in basic application security. The ability to iframe in a page allows for attacks like clickjacking.

Re:DRM for webpages (0)

Anonymous Coward | more than 2 years ago | (#37811822)

So you are saying that clickjacking is OK as long as you are Google?

I can understand and agree with Google's approach to it, but it sure is a double standard. Google trusts itself not to abuse it. But what about the invasion of IP for revenue?

Re:DRM for webpages (1)

dave420 (699308) | more than 2 years ago | (#37811872)

There is *nothing* stopping anyone from implementing iframe-busting on their sites. It won't hurt their search ranking. They are merely showing that if a site is a large target for malicious scripts, it makes incredible sense to stop it from being ran in an iframe.

Re:DRM for webpages (1)

flimflammer (956759) | more than 2 years ago | (#37812568)

...what? How the hell do you even come to that conclusion?

iframing a website doesn't automatically make you a clickjacker, but google owes it to its users to prevent that possibility from others who would abuse it.

Re:DRM for webpages (3)

pentadecagon (1926186) | more than 2 years ago | (#37811788)

They do it for security. It's OK if you don't understand it. You apparently don't like Google. That's OK as well. But neither is a good reason for posting hate-speech.

Re:DRM for webpages (0)

Anonymous Coward | more than 2 years ago | (#37812198)

They do it for security. It's OK if you don't understand it. You apparently don't like Google. That's OK as well. But neither is a good reason for posting hate-speech.

I think you're mistaken, Not liking something is the best reason for posting hate speech about it.

Come to the dark side - feel the anger - (1)

h00manist (800926) | more than 2 years ago | (#37811810)

The dark side has it's own gravity.

Re:Come to the dark side - feel the anger - (1)

Anonymous Coward | more than 2 years ago | (#37811832)

Learn your grammar please. It's "its" not "it's".

Re:Come to the dark side - feel the anger - (0)

Anonymous Coward | more than 2 years ago | (#37813256)

Yore missing a comma after "grammar".

Re:DRM for webpages (1)

Urkki (668283) | more than 2 years ago | (#37811820)

Showing a page in an IFRAME is really no different from viewing it in, say, an ad-supported webbrowser (like older versions of Opera).

Yes, it's quite different. It's same only if you have the habit of downloading random web browsers, the way you browse random web pages. You have to trust web browser much more than you have to trust a random web page, since web browser has access to everything you do online with it. Clickjacking, XSS & co are real.

Denied (0)

Anonymous Coward | more than 2 years ago | (#37811866)

I'm an asshole.
X-FRAME-OPTIONS: DENY

(Filter error: Don't use so many caps)

Clickjacking (1)

Anonymous Coward | more than 2 years ago | (#37811666)

Preventing other sites from displaying a page from within a frame is a common defense against a web application vulnerability known as Clickjacking [wikipedia.org] .

iframes are evil. (0)

Anonymous Coward | more than 2 years ago | (#37811668)

google is evil.

Re:iframes are evil. (0)

Anonymous Coward | more than 2 years ago | (#37812900)

iframes are awesome and you're a retard

The LORD gave, and the LORD hath taken away (-1)

Animats (122034) | more than 2 years ago | (#37811722)

The LORD gave, and the LORD hath taken away; blessed be the name of the LORD. - Job 1.21

Re:The LORD gave, and the LORD hath taken away (-1)

Anonymous Coward | more than 2 years ago | (#37813866)

Blessed be the name of my COCK.

There is no contradiction (3, Insightful)

houghi (78078) | more than 2 years ago | (#37811724)

Google has so much contradiction in what it wants for itself and what it does with other websites

For them it already is theirs.
As long as nobody clearly states that it isn't their data, they will treat it as theirs. And nobody is saying that the personal data belongs to the person, so companies can keep confusing you and telling that as soon as it is somehow online, it is not yours anymore.

Re:There is no contradiction (1, Insightful)

dave420 (699308) | more than 2 years ago | (#37811890)

Christ. There is no contradiction as they don't penalise other sites for not allowing themselves to be rendered in an iframe. If you have a site where clickjacking is a real threat to operations (as Google does, what with them being the #1 search engine, and having a very popular single-sign-on mechanism), you should have the option to disable the site being rendered in a frame. How the fuck is allowing others to do exactly what you do a contradiction?

Re:There is no contradiction (1)

williamhb (758070) | more than 2 years ago | (#37813114)

Google has so much contradiction in what it wants for itself and what it does with other websites

For them it already is theirs.
As long as nobody clearly states that it isn't their data, they will treat it as theirs. And nobody is saying that the personal data belongs to the person, so companies can keep confusing you and telling that as soon as it is somehow online, it is not yours anymore.

Are you suggesting Google is a toddler? [berkeley.edu] . They're supposed to be 13 years old now. Someone send them a note to grow up and start grunting and concentrating on their music like any other teenager!

Re:There is no contradiction (1)

gumbi west (610122) | more than 2 years ago | (#37813178)

As long as nobody clearly states that it isn't their data, they will treat it as theirs.

Funny, even if your book had that text about not putting it in an automated storage and retrieval system in any format... still got scanned. I think they want you to say not just everyone, but also google in particular.

WTF? (5, Insightful)

Mathinker (909784) | more than 2 years ago | (#37811726)

The summary seems to imply that Google has "magical powers" which enable it to block displaying its pages in IFrames, which no one else has?

The reality, AFAICT, is that everyone could block Google from displaying their pages in that way, also. They largely just don't (either want, bother or know how to do it), but I fail to see how that makes Google "evil".

Re:WTF? (2)

D'Sphitz (699604) | more than 2 years ago | (#37811806)

Exactly. No conspiracy here, if you want to prevent google from displaying your pages in frames you are certainly able to.

Re:WTF? (2, Interesting)

nightfell (2480334) | more than 2 years ago | (#37812148)

The summary seems to imply that Google has "magical powers" which enable it to block displaying its pages in IFrames, which no one else has?

Really? I never saw the term "magical powers" anywhere in the summary, nor was it implied in any way. What was implied, and in fact outright stated, is that Google is being hypocritical. They are doing to others what they disallow being done to them.

The reality, AFAICT, is that everyone could block Google from displaying their pages in that way, also. They largely just don't (either want, bother or know how to do it), but I fail to see how that makes Google "evil".

They are taking without giving in kind. The whole "evil" thing is stupid to begin with, but if you're going to use a term like that so loosely (like Google does, so fuck them, they deserve it right back), then this is a good example of just that.

Re:WTF? (1)

lostmongoose (1094523) | more than 2 years ago | (#37812268)

Really? I never saw the term "magical powers" anywhere in the summary, nor was it implied in any way. What was implied, and in fact outright stated, is that Google is being hypocritical. They are doing to others what they disallow being done to them.

And what's stopping other from disallowing the same thing? Nothing, that's what. All Google is doing is *dramatic gasp* protecting its users! They may not be doing it out of any altruistic motives, but it is what it is. If web devs are too damn lazy to use the Google APIs for accessing and displaying this data, too damn bad. There's nothing hypocritical about this story.

Re:WTF? (1)

icebraining (1313345) | more than 2 years ago | (#37812740)

They're not being hypocritical. Some pages can be safely IFRAMEd, others can't. It's up to the website developers to decide, like Google has for their website(s).

Re:WTF? (2)

Mathinker (909784) | more than 2 years ago | (#37813508)

> They are taking without giving in kind.

Your comment is, well, bizarre. As I pointed out. Thinking of various real-life analogies makes this clear.

For example, if someone puts up "No Trespassing" signs anywhere on his property, in your opinion he is being hypocritical if he then doesn't continually check, wherever he goes, that he is not on unsigned private land? And what if the country where he is currently visiting doesn't have a central registry for doing this kind of checking --- do you have any idea the amount of effort it would then take for him to merely move around without being hypocritical in your eyes (or at least, in the eyes of the summary based on your interpretation)?

Does someone who picks up a penny off the public street then have the obligation, for the rest of his life, to intentionally drop coins so others will have equal opportunity to pick up coins? Or is it enough that he doesn't take special steps not to drop coins? Exactly how many coins might he obliged to drop in order to not be hypocritical, one for every other human on the Earth?

> The whole "evil" thing is stupid to begin with,

Well, in some ways I can agree with that part of your comment. A non-evil advertising company? Oxymoron if you ever thought of one. But, it's actually genius marketing --- to the extent that I'm not even totally convinced that the story of the "Don't be evil" origin (that it was originated by an idealistic/ethical Google engineer, not a marketing droid) is 100% true and unembellished.

Re:WTF? (1)

D'Sphitz (699604) | more than 2 years ago | (#37813900)

They are taking without giving in kind.

I noticed Google also disallows crawlers to certain url's on google.com [google.com] , yet they will happily crawl every url on your site if you don't take similar action to prevent it. We need to put a stop to this madness at once!

Re:WTF? (0)

Anonymous Coward | more than 2 years ago | (#37812594)

Google has so much contradiction in what it wants for itself and what it does with other websites [e.g., Google frames Slashdot],' quipped one poster. 'Do no evil, right?'

Look, really, a Slashdotter could hear a rumor that some lowly engineer at Google could flush a toilet wrong (according to that Slashdotter) and Slashdot would be abuzz with smartass "ZOMG TEHY DID EVIL Y U SAY DO NO EVIL GOOGGLEZ?" remarks. What Slashdot says really doesn't matter anymore.

Re:WTF? (1)

manu0601 (2221348) | more than 2 years ago | (#37813510)

This is no magic, this is the result of the X-Frame-Options HTTP header, sent by Google servers, and honoured by browsers. That avoids a bunch of security vulnerabilities and anyone should do it. The weird thing is that Google still promotes the use of frames when displaying search results.

Congratulations (3, Insightful)

Anonymous Coward | more than 2 years ago | (#37811746)

The threads you linked to have 18, 2, and no comments respectively.
While this is mildly interesting, it appears all the links you could find have trivial numbers of people participating.

Nobody cares, this is non-news. Oh wait, Google was mentioned?
There's even a comment about DRM! Everyone loves DRM articles!
Nevermind, proceed with the company-bashing.

Congratulations on spamming your private battle to thousands of people via Slashdot editors.

Re:Congratulations (-1)

Anonymous Coward | more than 2 years ago | (#37813906)

I wasn't surprised to see this was greenlit by timothy. He's the worst editor /. has.

What? (3, Insightful)

xstonedogx (814876) | more than 2 years ago | (#37811762)

'Google has so much contradiction in what it wants for itself and what it does with other websites [e.g., Google frames Slashdot],' quipped one poster. 'Do no evil, right?'

I don't see the contradiction. Everyone is allowed to decide whether or not they allow their content to be displayed in iframes. If Google chooses no for itself but takes advantage of the fact that others have chosen yes, that is not hypocrisy. (If Google was forcing yes on others, the poster might have a point.)

There is plenty to complain about here, I'm sure, but that's not it.

Re:What? (1)

OeLeWaPpErKe (412765) | more than 2 years ago | (#37812692)

I guess the hypocrisy accusation comes from the fact that your argument applies equally well to just about any evil organisation. The problem is simple. If everybody is allowed to shoot and kill, those with guns have the obvious advantage. Since google >>>>>>>>>>> other websites, a similar principle applies here.

Re:What? (1)

blackraven14250 (902843) | more than 2 years ago | (#37813674)

Everyone else has exactly the number of guns that Google does, in that disabling IFrames is a single gun, and any website can use it free of charge. Your argument is bunk.

Browser script? (1)

Anonymous Coward | more than 2 years ago | (#37811794)

Couldn't you write a browser script that modifies JavaScript's window object and such to make frame-breaking impossible?
And if you were a browser developer, couldn't you restrict frame-breaking to pages within the same website?

Restrict frame-breaking or restrict framing (1)

tepples (727027) | more than 2 years ago | (#37813736)

And if you were a browser developer, couldn't you restrict frame-breaking to pages within the same website?

Browser developers would be more likely to restrict framing itself to documents within the same origin.

Cry some more.... (-1)

Anonymous Coward | more than 2 years ago | (#37811816)

Somebody call the WHAAAAAAAAAAAmbulance because we have a baby emergency. Little baby cannot find tissue please send help.

Who gives a rat's ass about iframes... (0)

Anonymous Coward | more than 2 years ago | (#37811850)

Frames are responsible for so many hidden viruses, exploits, and malware... Good riddance.

Do no evil? Hah (0)

Anonymous Coward | more than 2 years ago | (#37811930)

Google management is so desperate for growth, they will do anything to achieve it. The company is run by high-tech "mafiosos" who don't know how to make money except through advertising fed by intellectual property infringement and privacy invasion.

Google is an advertising company, get over it! (1, Informative)

ad454 (325846) | more than 2 years ago | (#37811936)

Google is an advertising company. Nearly all of their sites and services are focused to drive ad revenue.

Please note: 2011-Q3: Total Ad Revenue $9.335B (96%), Other Revenue $0.385M (4%)
Source: Google Financial Results [google.com]

If Google did allow 3rd party frames of its websites, than that creates the situation that someone else can add their own advertising onto Google's pages/services, and prevents them from completing controlling the entire ad experience and ad revenue.

Personally I don't fault Google for this, since they are behaving exactly as one would expect from an advertising company. I think that other websites sites also need to use JavaScript and web tags to prevent Google using them in frames.

Re:Google is an advertising company, get over it! (1)

MimeticLie (1866406) | more than 2 years ago | (#37812436)

So you're arguing that Google is unwilling to tolerate the existence of other ad networks? That's odd, especially considering how many you can find using Google itself. [google.com] Someone using ads on a service that used a Google IFrame wouldn't stop Google from making money on its own ads.

The other posters have hit the nail on the head. When you're dealing with as much personal data as Google, it would be irresponsible to allow IFrames. The fact that clickjacking isn't on the security radar of most users makes the problem all the more significant.

Re:Google is an advertising company, get over it! (1)

OeLeWaPpErKe (412765) | more than 2 years ago | (#37812718)

The argument is that google is perfectly willing to add it's own adds to views of other people's webpages, yet refused the reverse (e.g. someone showing google with an add on top).

Re:Google is an advertising company, get over it! (2)

MimeticLie (1866406) | more than 2 years ago | (#37813658)

Is Google adding ads to other people's sites? I just checked some search results and didn't see that happening. If you look at the image linked in the summary, there are no Google ads on the page.

Anyway, Google putting other pages in IFrames isn't an issue, so long as you can block the use of IFrames and still be listed by Google. That's entirely equitable: they're able to opt-out and you're able to opt-out. And, unless I'm very much mistaken, that's how it works.

Re:Google is an advertising company, get over it! (1)

OeLeWaPpErKe (412765) | more than 2 years ago | (#37814438)

Okay, search for a term which has ads. Don't make it complicated, make it "car". There you go : content from external sites, google's ads. But this is quite tame, right ?

Now hover your mouse over one of the results. Boom. All content of the external site, rendered. Google's ads still visible (and more prominent than those on the external site).

Alternatively, click on the ">>" icon to the right of a result entry.

Re:Google is an advertising company, get over it! (1)

MimeticLie (1866406) | more than 2 years ago | (#37814564)

So you're complaining that the ads on Google's search page are more prominent then the ads in a thumbnail? How is that comparable to your "showing google with an add on top" example from above? Regardless of the content of the story, you'd find something to complain about, wouldn't you?

Re:Google is an advertising company, get over it! (2)

flimflammer (956759) | more than 2 years ago | (#37812632)

This isn't why they're doing it. It's an issue of security, not protecting revenue by blocking sites from injecting their own ads into a framed google...

Re:Google is an advertising company, get over it! (0)

Anonymous Coward | more than 2 years ago | (#37813606)

if $9.335B is 96% then I fear that $0.385M isn't 4%. You probably meant $0.385B.

use the APIs (5, Insightful)

Gravis Zero (934156) | more than 2 years ago | (#37811950)

Google has lots of APIs to let you do most anything. If you need to embed an entire page from google then you are doing it wrong. This is a security issue and frankly I'm glad they are acting responsible.

DOING IT WRONG:

I am designing a web site and I wish to make extensive use of google.com via iframing.

Re:use the APIs (1)

Civil_Disobedient (261825) | more than 2 years ago | (#37813664)

Well, yeah, but some of their APIs are "doing it wrong." Just one example (one that recently burned us): the Google Image Charts API has a neat feature that allows you to fetch the image data to construct an image map of a chart. [google.com] Just append "&chof=json" to any image request and viola! a nice, handy JSON object.

Except... wait a second! That's totally useless! Why? Because there's no way to actually fetch the JSON object. If you put the URL as the SRC attribute of a script block, it doesn't return an instantiated object. If you try fetching the object through an async request, you'll fail because you violate same-origin policies.

What you really need is a JSONP object, as this fellow complained about earlier [google.com] . Notice how many responses he's gotten? ZILCH.

Basically the only way you can actually use their handy JSON hook is to set up your own proxy that passes requests along as generated POSTs to Google's server, then returns the results wrapped in an execution block. It's completely asinine.

What's wrong with writing the proxy? (1)

tepples (727027) | more than 2 years ago | (#37813746)

What's wrong with writing the proxy, as you suggested? Is it that you'd run into rate limits per IP address that are far too low for a site that gets as much traffic as you reasonably plan to get?

Re:What's wrong with writing the proxy? (1)

Civil_Disobedient (261825) | more than 2 years ago | (#37814424)

Is it that you'd run into rate limits per IP address that are far too low for a site that gets as much traffic as you reasonably plan to get?

This, plus the concern that we might be violating Google's ToS by using one (they can be very picky about that kind of thing). We don't want to run afoul of the Goog.

fundamental problem (1)

StripedCow (776465) | more than 2 years ago | (#37812092)

The fundamental problem here is that google's services are ones you'd expect a government to run. But of course, google is not the government and the free market model in which google operates does not force them to work as a government. In other words, they do not need to serve the needs of all of their clients, but instead, to make a profit, they need to serve the needs of most of their clients. And that's the fundamental problem, and it isn't going away until either the government takes over google, special regulations are put in place, or our market model is fundamentally changed. This whole iframe thing is just symptomatic of this problem.

Re:fundamental problem (2)

canajin56 (660655) | more than 2 years ago | (#37812130)

So you are proposing government mandated elimination of security measures? Do you by chance make a living by phishing?

Re:fundamental problem (0)

Anonymous Coward | more than 2 years ago | (#37812208)

If you see that statement in the OP you must have been smoking something good.

Re:fundamental problem (0)

Anonymous Coward | more than 2 years ago | (#37812202)

Uh..... no? I would say that there is pretty much nothing google does that I expect a government to do for the populace. But I would be wrong to say such a thing. Because there is not pretty much nothing.. there is truly nothing that google does that a government should/does do for its citizens.

Its also hard to argue that you need to frame google pages. If you need content from google pages, there are APIs for quite a lot of it. How true is this for pages that Google displays in frames?

The fundamental problem is that people like you don't get that google's pages are valuable to attack and iframes are but one way to attack them. So google don't allow it. Your careless, thoughtless dumbfuck blog page can't make nearly the same claim. But if you were concerned about it, you too could prevent anybody (including google) from iframing your pages.

Re:fundamental problem (2)

flimflammer (956759) | more than 2 years ago | (#37812638)

...what google services are ones you would expect a government to run? I can't think of a single one.

Re:fundamental problem (0)

Anonymous Coward | more than 2 years ago | (#37812874)

Free maps of all those roads the government builds with public money for public use. Over here you have to pay for government maps.

Re:fundamental problem (1)

flimflammer (956759) | more than 2 years ago | (#37812998)

Does Google even provide such maps? I don't think there's anything in Google maps to differentiate such roads.

Internet vampire (0)

Anonymous Coward | more than 2 years ago | (#37812184)

Is this news? Google is an internet vampire. Vampires feel free to suck blood as they will but are usually a little more picky about their own life force.

Use Google Custom Search (0)

Anonymous Coward | more than 2 years ago | (#37812252)

Google Search contains "potentially clickjackable" Google+ widgets, so it's protected by this header. Google Custom search doesn't have this problem, so it's easily embeddable.

http://www.google.com/custom

Frames are horrible anyway (0)

Anonymous Coward | more than 2 years ago | (#37812406)

I hope all the non-google people now "retaliate" by blocking frames too, with X-Frame-Options [wikipedia.org] on the server. Then we can be free of frames.

Their business, their rules (2)

kikito (971480) | more than 2 years ago | (#37812424)

You can ask them to give you your money back if you are not satisfied.

YouTube uses iframes (1)

trawg (308495) | more than 2 years ago | (#37812610)

I found it interesting a couple months back when YouTube changed to using iframes by default for their embed code.

You can check 'use old embed code' to use the original object code, but I haven't seen anyone do this since they made the change.

I was massively surprised when they made this move because of the security side of things; I'm completely unsurprised that they're blocking iframes, but I'm just as surprised they're using them by default in Youtube.

Aren't iframes part of the HTML standard? (1)

dpbsmith (263124) | more than 2 years ago | (#37812908)

I'm not a Web standards maven, but I thought that whereever iframes originally came from, they were now a completely legitimate part of the W3C HTML standard. If so, then they ought to work with anything. The description in the HTML 4.01 standard seems to be here [w3.org] , and as a non-language-lawyer it seems to me that it is supposed to work unless your "user agent" (browser) does not support frames.

If Google is intentionally doing something makes properly formed, Web-standard HTML not work properly, then shame on them. This isn't a question of "reciprocating" or "not reciprocating," it's a question of following Web standards or not. It's bad enough when a company is just too lazy or careless to follow them, but if a company intentionally makes proper HTML not work, I think that qualifies as "evil."

Re:Aren't iframes part of the HTML standard? (1)

Intropy (2009018) | more than 2 years ago | (#37813440)

It's standard HTML to use IFrames on a page. It's also standard to be able to flag a page with "don't load me in an IFrame." Google is raising that flag.

Re:Aren't iframes part of the HTML standard? (1)

ace123 (758107) | more than 2 years ago | (#37814262)

Yes, and the original standard allowed any site to frame any other site and access any data from it... This isn't 1999, and you shouldn't be quoting a 12-year-old spec to talk about security issues that weren't even known at the time. Read the HTML5 spec and maybe you will start to see just how many nuances there are in keeping things working while having security on top. Not even the HTML5 spec explains all the complicated shit that browsers have to do... Mozilla's documentation is the best resource for this stuff because they describe what a real browser does. Here you go, first google result:
https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header [mozilla.org]

X-Frame-Options is a standard header (despite the "X-" part, it is a standard security feature built into *all* modern web browsers, including IE), and it is up to a site owner to choose to use it. This is the only guaranteed way to solve clickjacking attacks. Other methods require javascript enabled and some nasty hacks. See this page if you don't believe me:
http://stackoverflow.com/questions/958997/frame-buster-buster-buster-code-needed [stackoverflow.com]

That said, it's like using a hammer to put in a staple, way overkill. Problem is, there is no way to guarantee that your page is not being clickjacked -- there are so many ways to do a clickjacking attack that browsers simply can't guard against all of them, for example, plugins, opacity, ...

Yes, users shouldn't be stupid enough to input confidential information when the address bar has an untrusted URL... but the clickjacking attack works by showing users confidential information that only a trusted site could possibly know and giving them a familiar login form... It's very difficult for all but the most trained user to distinguish this type of site from the real thing.

Not all sites use this, but Google decided it was worth adding the header to protect themselves. That's their decision to make. For my web page, I'm considering the javascript-based solution because it allows a more clear message and lets users override the check if necessary, but this may compromise security in one or two cases, so it's a tradeoff.

Re:Aren't iframes part of the HTML standard? (0)

Anonymous Coward | more than 2 years ago | (#37814464)

When you make judgements like that without actually understanding the whole situation, I think that qualifies as "ignorant".

MDBG (0)

Pinky3 (22411) | more than 2 years ago | (#37813790)

When translating from Chinese to English at http://www.mdbg.net/chindict/chindict.php?page=translate [mdbg.net] , the explanation is money.

October 14, 2011

Please note: This only affects the translation of text from Chinese to English and vice versa. The functionality to look up individual words or the dictionary definitions of any Chinese word in a text remains unchanged!

The translation page of this website uses (now and before) Google Translate to perform text translation. Google recently changed their previously freely available website integration APIs to a paid service. This has forced us to change the way translation results are presented.
from http://www.mdbg.net/chindict/chindict.php?page=20111014_newtranslatepage [mdbg.net]

I actually don't even know what iframes are, but this seems related. All I know is that the translations are full of google, and that two weeks ago they weren't. You need to paste or write some Chinese text in the box and click go to see the new output. Of course it won't mean as much if you never saw the old output without the word google plastered all over it.

Don't be evil, not do no evil! (1)

ArtemaOne (1300025) | more than 2 years ago | (#37814232)

Stop misquoting. These are hugely different slogans. A non-evil person can do evil, and it does not make him evil.

Ok... look... (0)

Anonymous Coward | more than 2 years ago | (#37814816)

There is NOTHING on google you need to be using an iframe for. NOTHING! And they are right for blocking you from doing it.

I can't use it for unblocking anymore (1)

mshenrick (1874438) | more than 2 years ago | (#37815122)

at school, they proxy through EMBC, who block stuff. If they want to block something themselves, at one time they had an inhouse smoothwall (dansguardian/squid) server, but they now block it by using the remote administration tool, by looking at the window title. eg notdoppler.com, which is unblocked at school, is closed automatically when a window with 'notdoppler' in it opens. I used to have a HTML page in my documents with 2 frames, a 1 pixel blank one, and Google. Now since google blocks frames (it seems to be IE that complies with that request, and I can't use Firefox, as since they upgraded to Windows 7 you can't run EXE's of removable media) so I have to put in the URL in the source directly everytime. I hope no more sites doing this, or since as I said it seems to be IE that complies with that request to block framed Google, I find a way to override this 'safety'
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>