It's most likely JavaScript being utilized to see if the current window is the "top" window (i.e. the outer-most "frame"), in which case no, cURL wouldn't be of any help.

Well, if you knew what the JS was that was "unframing" the site, you could use cURL to grab the HTML and then parse it to see if it was there.

The problem is, there's many ways to do it with JS and it might well change, or it could be obfuscated, or ....

As for the app ... what about generating a thumbnail image of the site for your users to vote on?

dalecosp;11042397 wrote:

Well, if you knew what the JS was that was "unframing" the site, you could use cURL to grab the HTML and then parse it to see if it was there.

The problem is, there's many ways to do it with JS and it might well change, or it could be obfuscated, or ....

The page I first came across the issue is with my test page.

https://www.youtube.com/watch?v=dQw4w9WgXcQ

WARNING: It leads to Rick Astley - Never Gonna Give You Up. I'm not rickrolling you, it really is my test page.

I've looked through the source but haven't found anything yet. Nonetheless, as soon as I put it in an iframe, on IE, I get a friendly notice that the page does not allow being embedded and in FF, it just shows a blank iframe.

Here is something of interest:

Here's my test page with the YT page inside an iframe:

http://schw.im/iframe-remote.html

I viewed the page source of the YT page, and pasted it to a file locally on my server.

http://schw.im/iframe-local.html

It seems to be the identical source, but somehow the page being generated knows when it's being called remotely. I've no clue why. My local copy of the page still calls all the j/s and css.

So one thing they're doing is sending a special HTTP header; Chrome had this to say:

Refused to display 'https://www.youtube.com/watch?v=dQw4w9WgXcQ' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

Once Chrome was set to ignore X-Frame-Options, your iframe-remote.html page worked as expected.

I'm having problems finding the answer to this. Is x-frame-options something that can be retrieved with curl? I'm already utilizing two curl functions, one to validate the URL status and one to get title, description and keywords from the url:

function verifyUrlExists($url) {
	$ch = curl_init();
	curl_setopt($ch, CURLOPT_URL, $url);
	curl_setopt($ch, CURLOPT_NOBODY, true);
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
	curl_exec($ch);
	$response = curl_getinfo($ch, CURLINFO_HTTP_CODE);
	curl_close($ch);

return (!empty($response) && $response != 404);
}

function headerInfo($url)
{
    $ch = curl_init();

curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);

$data = curl_exec($ch);
curl_close($ch);

return $data;

Is there a chance I can condense these two and the check for xfo into one do-it-all curl function?

Why validate the URL before using it? Same principle as INSERT statements with unique constraints - just do the action and see if you were successful.

And yes, the X-Frame-Options is just Yet Another HTTP Header someone has used to extend the specification and apparently many(/most?) modern browsers support it.

bradgrafelman;11042421 wrote:

Why validate the URL before using it? Same principle as INSERT statements with unique constraints - just do the action and see if you were successful.

And yes, the X-Frame-Options is just Yet Another HTTP Header someone has used to extend the specification and apparently many(/most?) modern browsers support it.

Interesting find.

I suppose it's not possible to make the iframe a local script that cURL's the page and outputs the results? Would that take care of the X-Frame-Options header?