Disaster has struck e-civilization; Google Talk chatback badges (as seen in the right column on this very blog) are broken! The small iframe remains grey in Firefox, but with some scrolling the following message can be seen:
This content cannot be displayed in a frame
To protect your security, the publisher of this content does
not allow it to be displayed in a frame.
Click here to open this content in a new window
Googling that error-message brings up a blogpost that explains what is going on: the http response-header of the page in the iframe includes “x-frame-options: sameorigin“. And that directive tells most modern browsers not to display the page in the iframe (because it is not embedded in a page of the same origin), to protecting you from possible clickjacking.
x-frame-options was introduced by Microsoft in IE8’s and seems to be implemented in Safari 4 and Chrome 3 as well. Firefox on the other hand hasn’t included this feature (yet?), but I got the error message thanks to the great Firefox NoScript security-extension which -somewhat reluctantly- provides “bullet parity” with IE8’s security features this way (you can stop NoScript from doing this by setting “noscript.frameOptions.enabled” to “false” in about:config).
But back to the root of this problem: Google is breaking their own Talk chatback badge by adding “x-frame-options: sameorigin” to the response headers. Weird huh?