If I create an iframe
like this:
var dialog = $('<div id="' + dialogId + '" align="center"><iframe id="' + frameId + '" src="' + url + '" width="100%" frameborder="0" height="'+frameHeightForIe8+'" data-ssotoken="' + token + '"></iframe></div>').dialog({
How can I fix the error:
Refused to display
'https://www.google.com.ua/?gws_rd=ssl'
in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
with JavaScript?
You can't set X-Frame-Options
on the iframe
. That is a response header set by the domain from which you are requesting the resource (google.com.ua
in your example). They have set the header to SAMEORIGIN
in this case, which means that they have disallowed loading of the resource in an iframe
outside of their domain. For more information see The X-Frame-Options response header on MDN.
A quick inspection of the headers (shown here in Chrome developer tools) reveals the X-Frame-Options
value returned from the host.
With YouTube, you can change the endpoint URL to the "embed" version. See stackoverflow.com/questions/25661182/… (I know this isn't strictly what the OP is searching for, but google gives this result first!)
Now 2021. According to the [developer.mozilla.org/en-US/docs/Web/HTTP/Headers/… MDN docs), DENY and SAMEORIGIN are the only remaining valid options, with ALLOW-FROM deemed obsolete. Does this mean that cross-site iframes are officially something of the past (except if explicitly circumvented with plugins, etc.)?