Here’s a fun way to waste an afternoon:
- You have a user flow that involves reading user docs: some gDocs, some YouTube videos, and some UI practice links of your own.
- Opening these in a new tab is annoying, right?
- So you move them into modals using
iframes - Everything works! ??
- Then, you give it to QA…
- 2 out of 8 links don’t open for them.
- O.o
Every link opens a modal with an iframe. That part works. Two of the links – a YouTube video and a UI practice widget – never load.
You think it might be a slowness issue because you wait a few seconds and there’s no loading indicator. So you ask them to wait… doesn’t help. QA waits for many minutes but the two iframes stay blank.
o.O
You investigate. It still works for you. But QA is using Windows.
You find a Windows machine, do the Windows 10 forced update dance, and download the latest Chrome. It’s not a computer you use very often. The touchpad feels funny.
The two iframes, they don’t load. Wut.
The console sheds a clue: Refused to display because it set X-Frame-Options to SAMEORIGIN.
What the hell is X-Frame-Options? Why does Google only return results and StackOverflow questions from 2010, 2012, and 2013. Most of them still in PHP! Why have I not heard of this!?
X-Frame-Options: SAMEORIGIN is an HTTP header that guards websites against clickjacking attacks. It tells browsers, “Yo, don’t open this page in an iframe”.
YouTube sets the header for URLs that aren’t embed links, which explains the single YT link that didn’t work in my case. I was using embed links for all but one of them. ?
And our own practice-the-interface link?
Rails 4 sets X-Frame-Options: SAMEORIGIN for everything as a default security measure. I just never noticed before.
At least it was easy to fix – don’t send the header. :D
But why did it work on my computer?
At first, I thought maybe it’s because Chrome Mac and Chrome Windows behave differently. I tried on a coworker’s machine, and it didn’t work. It stopped the iframes like it’s supposed to.
Then I thought, “Maybe it’s because I’m on localhost.” Nope, wasn’t that.
Maybe it figures out swizec.ngrok.io points to my local machine? Wait… the YouTube link worked, so it can’t be that.
…Why doesn’t my computer protect me from clickjacking? This is not ideal…
But hey, at least I know about X-Frame-Options now. That was fun. ?
Continue reading about WTF is X-Frame-Options?
Semantically similar articles hand-picked by GPT-4
- A lesson about client-side templating
- How to wait for DOM elements to show up in modern browsers
- Arcane JavaScript knowledge still useful
- CodeWithSwiz: Privacy-focused embeds for YouTube, Twitter, et al
- 2 quick tips for 250% better Lighthouse scores – CodeWithSwiz 28
Learned something new?
Read more Software Engineering Lessons from Production
I write articles with real insight into the career and skills of a modern software engineer. "Raw and honest from the heart!" as one reader described them. Fueled by lessons learned over 20 years of building production code for side-projects, small businesses, and hyper growth startups. Both successful and not.
Subscribe below 👇
Software Engineering Lessons from Production
Join Swizec's Newsletter and get insightful emails 💌 on mindsets, tactics, and technical skills for your career. Real lessons from building production software. No bullshit.
"Man, love your simple writing! Yours is the only newsletter I open and only blog that I give a fuck to read & scroll till the end. And wow always take away lessons with me. Inspiring! And very relatable. 👌"
Have a burning question that you think I can answer? Hit me up on twitter and I'll do my best.
Who am I and who do I help? I'm Swizec Teller and I turn coders into engineers with "Raw and honest from the heart!" writing. No bullshit. Real insights into the career and skills of a modern software engineer.
Want to become a true senior engineer? Take ownership, have autonomy, and be a force multiplier on your team. The Senior Engineer Mindset ebook can help 👉 swizec.com/senior-mindset. These are the shifts in mindset that unlocked my career.
Curious about Serverless and the modern backend? Check out Serverless Handbook, for frontend engineers 👉 ServerlessHandbook.dev
Want to Stop copy pasting D3 examples and create data visualizations of your own? Learn how to build scalable dataviz React components your whole team can understand with React for Data Visualization
Want to get my best emails on JavaScript, React, Serverless, Fullstack Web, or Indie Hacking? Check out swizec.com/collections
Did someone amazing share this letter with you? Wonderful! You can sign up for my weekly letters for software engineers on their path to greatness, here: swizec.com/blog
Want to brush up on your modern JavaScript syntax? Check out my interactive cheatsheet: es6cheatsheet.com
By the way, just in case no one has told you it yet today: I love and appreciate you for who you are ❤️