Is my embedded Google Group blocked by FireFox because of an incorrect X-Frame-Options "Allow-From" value? -

i'm trying embed google group web page on site, cannot work in browsers , stumped why. using <iframe> , javascript code provided google groups configuration system, things work when view page in safari (version 6.1, 8537.71) , chrome (32.0.1700.107), not firefox (26.0) running on mac os x 10.8.5. running firefox's debug console reveals following error:

load denied x-frame-options: https://groups.google.com/  not permit framing http://mysite.org/mypage 

(where http://mysite.org/mypage actual page url, of course). now, curious thing using debug consoles in chrome , safari, both report error too—but x-frame-options header sent groups:

invalid 'x-frame-options' header encountered when loading 'https://groups.google.com/forum/embed/?place=forum/myforum &domain=mydomain.org&showtabs=false&parenturl= http%3a%2f%2fmydomain.org': 'allow-from https://groups.google.com'  not recognized directive. header ignored. 

this seems imply reason works in safari , chrome google sending invalid header (which seems unlikely) , safari , chrome therefore ignore it, or both browsers unable interpret x-frame-options, far can tell, not supposed case.

can think of might going on, or suggest other possible issues can check for?

a past question on seemed hit similar or possibly same problem, op's problem apparently went away on own, whereas mine persists whether am logged in or out of google account.

edit 2014-02-06 #1

i've determined chrome , safari not implement support allow-from in x-frame-options; explains messages in consoles, , explains why browsers not block embed google groups page. also, if interpret definition of allow-from option correctly, uri provided value should enclosing page; in other words, google should sending allow-from mydomain.org , not value sending. guess must doing wrong, i've followed google's instructions setting iframe, including part supplying &domain=yourdomain.com.

edit 2014-02-06 #2

in view of above, original question answered: reason safari , chrome display embedded page they ignore security header value, whereas firefox doesn't, , correctly blocks embedding because value of allow-from not domain of page enclosing iframe (mydomain.org) needs be.

so question now, why google set allow-from https://groups.google.com rather mydomain.org.

edit 2014-02-06 #3

solved. reason google sending x-frame-options value <iframe> code incorrect. reasons can no longer reconstruct @ time, led believe ampersands in src attribute value needed escaped, this:

<html><body> <iframe id="forum_embed" src="javascript:void(0)"   scrolling="no" frameborder="0"  width="746" height="1200"> </iframe> <script type="text/javascript">   document.getelementbyid('forum_embed').src =      "https://groups.google.com/forum/embed/?place=forum/sbml-discuss"      + "&amp;parenturl=" + encodeuricomponent(window.location.href); </script> </body></html> 

in fact, not work if written way. following does:

<html><body> <iframe id="forum_embed" src="javascript:void(0)"   scrolling="no" frameborder="0"  width="746" height="1200"> </iframe> <script type="text/javascript">   document.getelementbyid('forum_embed').src =      "https://groups.google.com/forum/embed/?place=forum/sbml-discuss"      + "&parenturl=" + encodeuricomponent(window.location.href); </script> </body></html> 

(the difference in &parenturl.) , google's instructions do. is, know, embarrasing....

this controlled parenturl url-param iframe src attribute.

it might chrome console encoding it, looks url iframe src has '&' characters encoded.

are hardcoding parenturl attribute? or using 'encodeuricomponent(window.location.href)'
(from docs: https://support.google.com/groups/answer/1191206?hl=en)