Google Not Reciprocating On IFrame Usage?

theodp writes "Over at the Google Web Search Community, posters are questioning why Google feels free to IFrame others' web pages, yet blocks attempts to IFrame pages on its own sites. 'Google has so much contradiction in what it wants for itself and what it does with other websites [e.g., Google frames Slashdot],' quipped one poster. 'Do no evil, right?' And over at the Google Maps Help Forum, developers are also begging for Google to allow them to IFrame entire pages again. 'I know there are other options (&embed etc.),' explains a poster, 'but then there is no sidebar which is useless. I really need the functionality like it was before.' Can any Googlers out there explain The Mystery of 'This content cannot be displayed in a frame'?"

XSRF

[Anonymous Coward]

It's to prevent XF clickjacking, XSS and XSRF attacks. Please see recent web security papers. Many other major sites with valuable login credentials do the same thing.

Re:

[Samantha Wright]

No. The real reason Oracle is doing all the Evil in the world now because Bill Dead Gates said so. This is just another shill post on Oracle here, one of many I have seen in last few days.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[mldi]

Antitrust, at least in the U.S., means you're using your market position to influence the market unfairly.

Antitrust != monopoly.

Re:

[PopeRatzo]

The real reason Google is doing all the Evil in the world now because Steve Dead Jobs said so.

Just so everyone knows, I've got a copyright AND patent on the Zombie Steve Jobs halloween costume.

I tried to trademark Zombie Steve Jobs, but Apple already did that sometime in 2007. Being a step ahead of everyone else is part of their corporate culture.

Re:

[moderatorrater]

Exactly. I'm over security for part of a fairly major website and our customers are starting to get after us for not disallowing iframes of our site.

Re:

[dankney]

Exactly. I'm over security for part of a fairly major website and our customers are starting to get after us for not disallowing iframes of our site.

Any authenticated site should be doing this -- it's only a couple of lines of Javascript to reasonably cover your bases.

Why aren't you? Is there some sort of crazy business blocker?

Re:

[Anonymous Coward]

Don't break the law complete defeats the purpose of a motto. The idea of having and sharing the "don't be evil" motto is to show intent to be good citizens beyond simple regulatory requirements to abide by the rules the state hands down. Everything else you say is true it will be used against them but they believe, wrongly or rightly, that it is important to show intent to act in a moral/ethical way beyond what is simply required of them. This may just be simple advertising or it may be a genuine belief

Re:

[utkonos]

Wow, you just used the Cultural Differences argument as if it is the only possibility in ethics. The Cultural Differences argument and Cultural Relativity in general is based on flawed logic. And besides that, there are other alternative philosophical theories. One is that the perception of morality is different for different people, but that the truth of morality is set in stone like the other constants that govern physics and chemistry. There are other philosophical arguments as well. But if you are

Re:

[msobkow]

People have been demanding that security holes be plugged, including these web attacks.

Now they're complaining that Google fixed the problem.

Hopefully they'll stop screaming about Google taking over the world long enough to hear that it's a security fix. Sometimes fixes break existing code.

Clickjacking

[Anonymous Coward]

http://en.wikipedia.org/wiki/Clickjacking may be related.

Security

[Anonymous Coward]

'Clickjacking' UI-Redressing and assorted other attacks rely on framing the target page.

It's a business

[ex-googler]

Get over it, it's a multi billion dollar multi national business. Not your local charity, nor grandma's coffee shop.

Those who cling to the "don't be evil" meme say more about themselves and their naiveté, than it does about Google.

Re:

[luke923]

I think the reason people are upset that Google isn't living up to their own mantra of "Don't be evil" is the fact that they fail to meet the standard they set for themselves. On the other hand, if Google had the phrase, "Let's make lots of money off of others' content and technology," then no one would be upset with some of Google's questionable tactics. It goes back to basic symbolic logic p=>q. If p is false, no matter what q is, the statement is true; however, if p is true and q is false, the whol

Re:

[hedwards]

That's only true if q and only q follows from p. If there is any time when q doesn't logically follow from p then the whole thing breaks down immediately.

In this case there is the alternate explanation that Google is now defaulting to SSL for it's searches and perhaps they don't want to be a party to clickjacking and various other hijinks that could result.

Re:

[dave420]

Hint: There is a perfectly reasonable technical explanation for Google not allowing other sites to host their sites in iframes. Think about it for a minute. Seriously. It's rather easy to figure out. "Good" and "Evil" don't even feature in their reasoning.

Re:

[epine]

Google's motto is "Let's make lots of money off of others' content and technology". Did anyone ever doubt that? It goes without saying.

Where Google comes close to evil is booting people off the Google services without making it possible for the booted user to collect his or her belongings before the door slams their ass. There's effectively no recourse if Google makes an error in their determination. I think this pushes fairly deep into caprice, and with no real upside that I can see. At least your jilt

property law in the cloud era

[epine]

To follow up on my last post:

I wouldn't be unhappy to see property law evolve in the cloud era so that blocking a user from recovering those possessions in a reasonable process and time frame would constitute actual theft.

Property is a social construct and it changes as the embodiment of property changes (wives, children, slaves, agricultural boundaries, water, mineral rights, design, copyright, and in the ridiculous fullness of time as practiced by the legislature and legal profession ... personal cloudwar

Re:

[shentino]

I trust facebook less than I trust google, because facebook consistently tries to update its TOS behind people's backs to allow them to whore you out to advertisers.

Whereas google goes out of its way to make your privacy settings easy to manage.

Re:

[mldi]

Not to mention they make it easy to re-claim/export your data.

Re:

[crutchy]

On SEO pages there shouldn't be any reason to bitch as Google is doing you a service (exposing your site to potential customers). On intranet pages or pages requiring credentials to access, just ban any user agent with "google", "facebook", "bot", etc. That's what I do and I think it would be prudent for any other corporate website management.

Re:

[mldi]

OK, trying to apply the "don't be evil" mantra to this situation is really reaching. The issue of blocking iframes is security-related, end of story. Second, if a website doesn't like people iframing their shit, they can block it too. It's only a double-standard if Google complains.

Clickjacking

[Anonymous Coward]

Preventing other sites from displaying a page from within a frame is a common defense against a web application vulnerability known as Clickjacking [wikipedia.org].

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[dave420]

Christ. There is no contradiction as they don't penalise other sites for not allowing themselves to be rendered in an iframe. If you have a site where clickjacking is a real threat to operations (as Google does, what with them being the #1 search engine, and having a very popular single-sign-on mechanism), you should have the option to disable the site being rendered in a frame. How the fuck is allowing others to do exactly what you do a contradiction?

Re:

[williamhb]

Google has so much contradiction in what it wants for itself and what it does with other websites

For them it already is theirs.
As long as nobody clearly states that it isn't their data, they will treat it as theirs. And nobody is saying that the personal data belongs to the person, so companies can keep confusing you and telling that as soon as it is somehow online, it is not yours anymore.

Are you suggesting Google is a toddler? [berkeley.edu]. They're supposed to be 13 years old now. Someone send them a note to grow up and start grunting and concentrating on their music like any other teenager!

Re:

[gumbi west]

As long as nobody clearly states that it isn't their data, they will treat it as theirs.

Funny, even if your book had that text about not putting it in an automated storage and retrieval system in any format... still got scanned. I think they want you to say not just everyone, but also google in particular.

WTF?

[Mathinker]

The summary seems to imply that Google has "magical powers" which enable it to block displaying its pages in IFrames, which no one else has?

The reality, AFAICT, is that everyone could block Google from displaying their pages in that way, also. They largely just don't (either want, bother or know how to do it), but I fail to see how that makes Google "evil".

Re:

[D'Sphitz]

Exactly. No conspiracy here, if you want to prevent google from displaying your pages in frames you are certainly able to.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[lostmongoose]

Really? I never saw the term "magical powers" anywhere in the summary, nor was it implied in any way. What was implied, and in fact outright stated, is that Google is being hypocritical. They are doing to others what they disallow being done to them.

And what's stopping other from disallowing the same thing? Nothing, that's what. All Google is doing is *dramatic gasp* protecting its users! They may not be doing it out of any altruistic motives, but it is what it is. If web devs are too damn lazy to use the Google APIs for accessing and displaying this data, too damn bad. There's nothing hypocritical about this story.

Re:

[icebraining]

They're not being hypocritical. Some pages can be safely IFRAMEd, others can't. It's up to the website developers to decide, like Google has for their website(s).

Re:

[Mathinker]

> They are taking without giving in kind.

Your comment is, well, bizarre. As I pointed out. Thinking of various real-life analogies makes this clear.

For example, if someone puts up "No Trespassing" signs anywhere on his property, in your opinion he is being hypocritical if he then doesn't continually check, wherever he goes, that he is not on unsigned private land? And what if the country where he is currently visiting doesn't have a central registry for doing this kind of checking --- do you have any ide

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Mathinker]

> What sort of nonsense is this?

What it seemed to me to be what you were proposing? I didn't quite understand how he Mother Theresa analogy in your rebuttal fits the Google situation. You claim that Google is "admonishing others" to not use standard technology which would prevent them from displaying web pages in IFrames? Have any evidence there?

> Google is taking without giving

I don't know about you, but I find them kind of useful, sometimes. Others seem to concur.

> as we are saying that they sure

Re:

[D'Sphitz]

They are taking without giving in kind.

I noticed Google also disallows crawlers to certain url's on google.com [google.com], yet they will happily crawl every url on your site if you don't take similar action to prevent it. We need to put a stop to this madness at once!

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[manu0601]

This is no magic, this is the result of the X-Frame-Options HTTP header, sent by Google servers, and honoured by browsers. That avoids a bunch of security vulnerabilities and anyone should do it. The weird thing is that Google still promotes the use of frames when displaying search results.

Congratulations

[Anonymous Coward]

The threads you linked to have 18, 2, and no comments respectively.
While this is mildly interesting, it appears all the links you could find have trivial numbers of people participating.

Nobody cares, this is non-news. Oh wait, Google was mentioned?
There's even a comment about DRM! Everyone loves DRM articles!
Nevermind, proceed with the company-bashing.

Congratulations on spamming your private battle to thousands of people via Slashdot editors.

For many more examples, just Google!

[theodp]

For more examples, Google for 'This content cannot be displayed in a frame' google [google.com].

What?

[xstonedogx]

'Google has so much contradiction in what it wants for itself and what it does with other websites [e.g., Google frames Slashdot],' quipped one poster. 'Do no evil, right?'

I don't see the contradiction. Everyone is allowed to decide whether or not they allow their content to be displayed in iframes. If Google chooses no for itself but takes advantage of the fact that others have chosen yes, that is not hypocrisy. (If Google was forcing yes on others, the poster might have a point.)

There is plenty to complain about here, I'm sure, but that's not it.

Re:

[OeLeWaPpErKe]

I guess the hypocrisy accusation comes from the fact that your argument applies equally well to just about any evil organisation. The problem is simple. If everybody is allowed to shoot and kill, those with guns have the obvious advantage. Since google >>>>>>>>>>> other websites, a similar principle applies here.

Re:

[blackraven14250]

Everyone else has exactly the number of guns that Google does, in that disabling IFrames is a single gun, and any website can use it free of charge. Your argument is bunk.

Re:

[OeLeWaPpErKe]

Everyone else has exactly the number of guns that Google does,

Riiiiight ... you sound like the Iraqi information minister here.

1) Does google have the same technical options as everybody else ? No, they have more (e.g. they use undocumented, or badly documented features of their own software, but it doesn't quite end there)
2) Does google have the same clout as everybody else ? Definitely not.

Browser script?

[Anonymous Coward]

Couldn't you write a browser script that modifies JavaScript's window object and such to make frame-breaking impossible?
And if you were a browser developer, couldn't you restrict frame-breaking to pages within the same website?

Restrict frame-breaking or restrict framing

[tepples]

And if you were a browser developer, couldn't you restrict frame-breaking to pages within the same website?

Browser developers would be more likely to restrict framing itself to documents within the same origin.

Google is an advertising company, get over it!

[ad454]

Google is an advertising company. Nearly all of their sites and services are focused to drive ad revenue.

Please note: 2011-Q3: Total Ad Revenue $9.335B (96%), Other Revenue $0.385M (4%)
Source: Google Financial Results [google.com]

If Google did allow 3rd party frames of its websites, than that creates the situation that someone else can add their own advertising onto Google's pages/services, and prevents them from completing controlling the entire ad experience and ad revenue.

Personally I don't fault Google for this, si

Re:

[MimeticLie]

So you're arguing that Google is unwilling to tolerate the existence of other ad networks? That's odd, especially considering how many you can find using Google itself. [google.com] Someone using ads on a service that used a Google IFrame wouldn't stop Google from making money on its own ads.

The other posters have hit the nail on the head. When you're dealing with as much personal data as Google, it would be irresponsible to allow IFrames. The fact that clickjacking isn't on the security radar of most users makes the

Re:

[OeLeWaPpErKe]

The argument is that google is perfectly willing to add it's own adds to views of other people's webpages, yet refused the reverse (e.g. someone showing google with an add on top).

Re:

[MimeticLie]

Is Google adding ads to other people's sites? I just checked some search results and didn't see that happening. If you look at the image linked in the summary, there are no Google ads on the page.

Anyway, Google putting other pages in IFrames isn't an issue, so long as you can block the use of IFrames and still be listed by Google. That's entirely equitable: they're able to opt-out and you're able to opt-out. And, unless I'm very much mistaken, that's how it works.

Re:

[OeLeWaPpErKe]

Okay, search for a term which has ads. Don't make it complicated, make it "car". There you go : content from external sites, google's ads. But this is quite tame, right ?

Now hover your mouse over one of the results. Boom. All content of the external site, rendered. Google's ads still visible (and more prominent than those on the external site).

Alternatively, click on the ">>" icon to the right of a result entry.

Re:

[MimeticLie]

So you're complaining that the ads on Google's search page are more prominent then the ads in a thumbnail? How is that comparable to your "showing google with an add on top" example from above? Regardless of the content of the story, you'd find something to complain about, wouldn't you?

Re:

[OeLeWaPpErKe]

I'm not complaining, I like the thumbnails. But they do constitute exactly the situation you asked me to demonstrate :
1) they're showing the site's content, often with the sites' advertisements downplayed
2) google's ads, by contrast, are superimposed on that

Re:

[flimflammer]

This isn't why they're doing it. It's an issue of security, not protecting revenue by blocking sites from injecting their own ads into a framed google...

use the APIs

[Gravis Zero]

Google has lots of APIs to let you do most anything. If you need to embed an entire page from google then you are doing it wrong. This is a security issue and frankly I'm glad they are acting responsible.

DOING IT WRONG:

I am designing a web site and I wish to make extensive use of google.com via iframing.

Re:

[Civil_Disobedient]

Well, yeah, but some of their APIs are "doing it wrong." Just one example (one that recently burned us): the Google Image Charts API has a neat feature that allows you to fetch the image data to construct an image map of a chart. [google.com] Just append "&chof=json" to any image request and viola! a nice, handy JSON object.

Except... wait a second! That's totally useless! Why? Because there's no way to actually fetch the JSON object. If you put the URL as the SRC attribute of a script block, it doesn't return

What's wrong with writing the proxy?

[tepples]

What's wrong with writing the proxy, as you suggested? Is it that you'd run into rate limits per IP address that are far too low for a site that gets as much traffic as you reasonably plan to get?

Re:

[Civil_Disobedient]

Is it that you'd run into rate limits per IP address that are far too low for a site that gets as much traffic as you reasonably plan to get?

This, plus the concern that we might be violating Google's ToS by using one (they can be very picky about that kind of thing). We don't want to run afoul of the Goog.

JSON is for server-to-server, unlike JSONP

[tepples]

I see a web API that uses JSON (as opposed to JSONP) as an implicit statement that the API is intended for server-to-server communication, as opposed to communication directly with a user agent. If Google disagrees, consider it the same as discontinuing the service, which I'm pretty sure the TOS says Google can do at any time for any reason. If you think this is something Google is likely to disable for you specifically before it discontinues the service for the world, is it that the API allows the server t

fundamental problem

[StripedCow]

The fundamental problem here is that google's services are ones you'd expect a government to run. But of course, google is not the government and the free market model in which google operates does not force them to work as a government. In other words, they do not need to serve the needs of all of their clients, but instead, to make a profit, they need to serve the needs of most of their clients. And that's the fundamental problem, and it isn't going away until either the government takes over google, spec

Re:

[canajin56]

So you are proposing government mandated elimination of security measures? Do you by chance make a living by phishing?

Re:

[flimflammer]

...what google services are ones you would expect a government to run? I can't think of a single one.

Re:

[flimflammer]

Does Google even provide such maps? I don't think there's anything in Google maps to differentiate such roads.

Their business, their rules

[kikito]

You can ask them to give you your money back if you are not satisfied.

YouTube uses iframes

[trawg]

I found it interesting a couple months back when YouTube changed to using iframes by default for their embed code.

You can check 'use old embed code' to use the original object code, but I haven't seen anyone do this since they made the change.

I was massively surprised when they made this move because of the security side of things; I'm completely unsurprised that they're blocking iframes, but I'm just as surprised they're using them by default in Youtube.

Aren't iframes part of the HTML standard?

[dpbsmith]

I'm not a Web standards maven, but I thought that whereever iframes originally came from, they were now a completely legitimate part of the W3C HTML standard. If so, then they ought to work with anything. The description in the HTML 4.01 standard seems to be here [w3.org], and as a non-language-lawyer it seems to me that it is supposed to work unless your "user agent" (browser) does not support frames.

If Google is intentionally doing something makes properly formed, Web-standard HTML not work properly, then shame on

Re:

[Intropy]

It's standard HTML to use IFrames on a page. It's also standard to be able to flag a page with "don't load me in an IFrame." Google is raising that flag.

Re:

[ace123]

Yes, and the original standard allowed any site to frame any other site and access any data from it... This isn't 1999, and you shouldn't be quoting a 12-year-old spec to talk about security issues that weren't even known at the time. Read the HTML5 spec and maybe you will start to see just how many nuances there are in keeping things working while having security on top. Not even the HTML5 spec explains all the complicated shit that browsers have to do... Mozilla's documentation is the best resource for th

MDBG

[Pinky3]

When translating from Chinese to English at http://www.mdbg.net/chindict/chindict.php?page=translate [mdbg.net] , the explanation is money.

October 14, 2011

Please note: This only affects the translation of text from Chinese to English and vice versa. The functionality to look up individual words or the dictionary definitions of any Chinese word in a text remains unchanged!

The translation page of this website uses (now and before) Google Translate to perform text translation. Google recently changed their previously fre

Don't be evil, not do no evil!

[ArtemaOne]

Stop misquoting. These are hugely different slogans. A non-evil person can do evil, and it does not make him evil.

I can't use it for unblocking anymore

[mshenrick]

at school, they proxy through EMBC, who block stuff. If they want to block something themselves, at one time they had an inhouse smoothwall (dansguardian/squid) server, but they now block it by using the remote administration tool, by looking at the window title. eg notdoppler.com, which is unblocked at school, is closed automatically when a window with 'notdoppler' in it opens. I used to have a HTML page in my documents with 2 frames, a 1 pixel blank one, and Google. Now since google blocks frames (it seem

stop filtering by referrer

[mshenrick]

I hate it when websites filter by referrer and claim you are stealing their bandwidth. Really? It's just a hyperlink. If you're going to complain don't put it on the web! I use a Firefox add-on to spoof the referrer, to the wikipedia article on referrer spoofing, and sometimes sites claim I'm stealing their bandwidth, and recaptcha doesn't work, but luckily the extension has an exceptions list

Re:DRM for webpages

[rivetgeek]

Any person who modded this up needs a refresher in basic application security. The ability to iframe in a page allows for attacks like clickjacking.

Re:

[dave420]

There is *nothing* stopping anyone from implementing iframe-busting on their sites. It won't hurt their search ranking. They are merely showing that if a site is a large target for malicious scripts, it makes incredible sense to stop it from being ran in an iframe.

Re:

[flimflammer]

...what? How the hell do you even come to that conclusion?

iframing a website doesn't automatically make you a clickjacker, but google owes it to its users to prevent that possibility from others who would abuse it.

Re:

[pentadecagon]

They do it for security. It's OK if you don't understand it. You apparently don't like Google. That's OK as well. But neither is a good reason for posting hate-speech.

Come to the dark side - feel the anger -

[h00manist]

The dark side has it's own gravity.

Re:

[Anonymous Coward]

Learn your grammar please. It's "its" not "it's".

Re:

[Urkki]

Showing a page in an IFRAME is really no different from viewing it in, say, an ad-supported webbrowser (like older versions of Opera).

Yes, it's quite different. It's same only if you have the habit of downloading random web browsers, the way you browse random web pages. You have to trust web browser much more than you have to trust a random web page, since web browser has access to everything you do online with it. Clickjacking, XSS & co are real.

Re:

[Hognoxious]

This isn't a hivemind, it's a forum.

I agree.