Any way cURL could be used to determine which pages don't allow iframe embedding?

schwim

Hi there everyone!

I'm trying to embed various URLs in an iframe with my script above it, allowing people to vote on the page being displayed below. I've quickly come to realize that sites like Youtube do not like this.

I'm wondering if there's any way I could use php to determine whether the page allows you to use it in an iframe. That way, I could open in a new window if need be.

It seems that there has to be some kind of flag being raised because one of the browsers that I'm testing with tells me that Youtube doesn't allow the page to be displayed in an iframe. Something must have happened for Youtube to pass that info to the browser. I am wondering if I can get that info via php.

thanks for your time!

bradgrafelman

It's most likely JavaScript being utilized to see if the current window is the "top" window (i.e. the outer-most "frame"), in which case no, cURL wouldn't be of any help.

dalecosp

Well, if you knew what the JS was that was "unframing" the site, you could use cURL to grab the HTML and then parse it to see if it was there.

The problem is, there's many ways to do it with JS and it might well change, or it could be obfuscated, or ....

dalecosp

As for the app ... what about generating a thumbnail image of the site for your users to vote on?

schwim

dalecosp;11042397 wrote:
Well, if you knew what the JS was that was "unframing" the site, you could use cURL to grab the HTML and then parse it to see if it was there.

The problem is, there's many ways to do it with JS and it might well change, or it could be obfuscated, or ....

The page I first came across the issue is with my test page.

https://www.youtube.com/watch?v=dQw4w9WgXcQ

WARNING: It leads to Rick Astley - Never Gonna Give You Up. I'm not rickrolling you, it really is my test page.

I've looked through the source but haven't found anything yet. Nonetheless, as soon as I put it in an iframe, on IE, I get a friendly notice that the page does not allow being embedded and in FF, it just shows a blank iframe.

schwim

Here is something of interest:

Here's my test page with the YT page inside an iframe:

http://schw.im/iframe-remote.html

I viewed the page source of the YT page, and pasted it to a file locally on my server.

http://schw.im/iframe-local.html

It seems to be the identical source, but somehow the page being generated knows when it's being called remotely. I've no clue why. My local copy of the page still calls all the j/s and css.

bradgrafelman

So one thing they're doing is sending a special HTTP header; Chrome had this to say:

Refused to display 'https://www.youtube.com/watch?v=dQw4w9WgXcQ' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

Once Chrome was set to ignore X-Frame-Options, your iframe-remote.html page worked as expected.

schwim

I'm having problems finding the answer to this. Is x-frame-options something that can be retrieved with curl? I'm already utilizing two curl functions, one to validate the URL status and one to get title, description and keywords from the url:

function verifyUrlExists($url) {
	$ch = curl_init();
	curl_setopt($ch, CURLOPT_URL, $url);
	curl_setopt($ch, CURLOPT_NOBODY, true);
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
	curl_exec($ch);
	$response = curl_getinfo($ch, CURLINFO_HTTP_CODE);
	curl_close($ch);

return (!empty($response) && $response != 404);
}

function headerInfo($url)
{
    $ch = curl_init();

curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);

$data = curl_exec($ch);
curl_close($ch);

return $data;

Is there a chance I can condense these two and the check for xfo into one do-it-all curl function?

bradgrafelman

Why validate the URL before using it? Same principle as INSERT statements with unique constraints - just do the action and see if you were successful.

And yes, the X-Frame-Options is just Yet Another HTTP Header someone has used to extend the specification and apparently many(/most?) modern browsers support it.

dalecosp

bradgrafelman;11042421 wrote:
Why validate the URL before using it? Same principle as INSERT statements with unique constraints - just do the action and see if you were successful.

And yes, the X-Frame-Options is just Yet Another HTTP Header someone has used to extend the specification and apparently many(/most?) modern browsers support it.

Interesting find.

I suppose it's not possible to make the iframe a local script that cURL's the page and outputs the results? Would that take care of the X-Frame-Options header?