Social Media sites preventing other sites displaying their pages in an iFrame

Last week at work we noticed that if you try and display a YouTube page in an iFrame you are shown a page stating that this is not allowed. A link is shown that takes you direct to the page. We looked at other social media sites, both Facebook and Twitter also do this.

I have two questions. One how is this done? My guess is it's a check something lik开发者_高级运维e:

if(window != top){
  // display 'error' page
}

The other question is why is this done? My first thoughts were maybe it was to do with security but the more I've thought about it, the more I think it's a legal thing or a marketing decision.

Websites don't want other websites stealing their content. I remember implementing something like this as far back as in the nineties. You pretty much answered your own question. However, it is also a security issue. At least with Twitter, there used to be some malicious sites, which would do the following:

1. Make some bs website with something about tweeting or posting something, showing some kind of form.
2. Include an iframe pointing to http://twitter.com/share?text=SPAM_TEXT_HERE
3. Position that iframe into a place where a button for the bs site's form would be.
4. Scroll the iframe so that only the "Tweet" button shows from the iframe.

This way they would get people tweeting their spammy tweets.

the problem is in youtube policies, I give you the official answer by youtube's David Boyle and the correct embed options on api' s page https://developers.google.com/youtube/player_parameters?hl=it

Hello YouTube API Developers,

This Wednesday, January 12, the YouTube.com web team will be implementing a change to prevent websites from including the www.youtube.com website on their pages via an <iframe> (or <frame>). Following this change, an <iframe> pointing to www.youtube.com will cease to display the YouTube web site, and instead will display a blank page.

While this change isn’t directly related to the YouTube API, we did want to announce this change in advance on the off-chance any YouTube API developers out there do include www.youtube.com on their site’s pages via frames. We also wanted to make clear that this change is not meant to affect the official <iframe> YouTube video embed API

(described at http://apiblog.youtube.com/2010/07/new-way-to-embed-youtube-videos.html),

which should remain fully operational. It is only intended to affect non-embed API usage.

If you’ve been including www.youtube.com on your pages because you were not sure how else to embed videos, this YouTube Help article details the official methods of embedding:

http://www.google.com/support/youtube/bin/answer.py?hl=en&answer=171780 

Best Mario