Short Version: The App Engine login page, when invoked via https, specifies the quite new "X-Frame-Options" header - I understand this header and what it's for etc, but is there some mechanism to let us specify NOT to add this limitation in specialist circumstances ?
Background: My GAE backed webapp has a bookmarklet to allow users to note something about the current page (cf posterous, bit.ly, evernote etc) when generally browsing the web (yeah, yeah, Chrome extension coming soon, I've written a couple already). The bookmarklet loads a bit of javascript that then inserts an absolute div to mimic a floating window, embeds an iframe, populates a hidden form and submits this form to my GAE handler, which returns a visible form with various fields filled in (document title, document url etc) with defaults - the user tinkers with the fields and submits the form to my GAE handler which saves the data under their account. Now this has been working fine, but when invoked on an HTTPS page in Google Chrome 13 (dev channel), Chrome refuses to let scripts loaded by http run in an https document (it used to just warn, now it actually blocks the execution). Fair enough, so my bookmarklet now checks if the page is HTTP or HTTPS and then loads the initial script from my domain (http://www.mysparebrain.com) or via the https appspot url (https://margate-sands.appspot.com), in which case Chrome is happy to let it execute within an https page. The div pops up, the iframe is populated, and submits itself. Now at this stage, if the user is not currently logged in, the GAE login page pops up inside the iframe (where the form content would appear). This works fine in the HTTP case, but in the HTTPS case, the extra HTTP header ("X-Frame-Options") is set, and so the browser refuses to display the login form within the iframe. Now I know this header is designed to stop click-jacking and the like, but it's a bit of pain here and it only applies currently to the https invoked login. I can make the bookmarklet pop up a genuine new window, and do its work in there, but they sort of suck what with popup blockers and the like. So it's a question about the lesser of a number of evils - is this extra header an absolute given, or is there any leeway such as an app.yaml setting or something I can do in the request itself to say that I'm happy to proceed within a frame ? Cheers -- Tim -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
