PDA

View Full Version : How to open external domain web page inside a panel. Web with javascript fails.



maneljn
27 Jun 2012, 6:45 AM
Extjs 4.1.1 RC2

I try to open an external url web page inside a panel like this:



Ext.define('esinube.view.esitest.websexternas.google', {
extend: 'Ext.panel.Panel',
alias : 'widget.esinube_view_esitest_websexternas_google',

title: gt.dgettext('esitest','Webs externas - Google'),
html: '<iframe src="http://www.google.com" width="100%" height="100%" ></iframe>',

initComponent: function() {
var me = this;
// Ejecutar metodo de su parent
me.callParent(arguments);

}

});


It does nothing because google.com has javascript inside.
If i change this line with a domain without any javascript inside it works fine.



html: '<iframe src="http://www.cesigrup.com" width="100%" height="100%" ></iframe>',


How could i resolve the problem with javascript pages ?

maneljn
27 Jun 2012, 8:32 AM
in more tests, i can open fine some webs more that contains javascript inside, but with www.google.com it's impossible it don't shows nothing.

Manel

maneljn
27 Jun 2012, 9:36 AM
It seems that Google uses new protection antihacker, and that's the reason about other webs shows well inside and iframe and google doesn't.

From http://msdn.microsoft.com/en-us/library/cc288472(v=vs.85).aspx#search (http://msdn.microsoft.com/en-us/library/cc288472%28v=vs.85%29.aspx#search)
Clickjacking Defense: Some hackers try to trick users into clicking buttons that appear to perform safe or harmless functions, but instead perform unrelated tasks. Clickjackers embed malicious code or "redress" the user interface by using transparent frames that overlay specific UI elements with misleading text and images. To help prevent clickjacking, Web site owners can send an HTTP response header named X-Frame-Options with HTML pages to restrict how the page may be framed.

X-Frame-Options: Deny If the X-Frame-Options value contains the token Deny, Internet Explorer 8 prevents the page from rendering if it is contained within a frame. If the value contains the token SameOrigin, Internet Explorer will not render the page if the top level-browsing-context differs from the origin of the page containing the directive. Blocked pages are replaced with a "This content cannot be displayed in a frame" error page.

scottmartin
27 Jun 2012, 9:49 AM
Google is placing this restriction on you:
Refused to display document because display forbidden by X-Frame-Options.

See:
https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header

Scott.