



HTTP/2.0 200 OK Alternate-Protocol: 443:quic,p=0.5 Cache-Control: private Content-Encoding: gzip Content-Length: 35486 Content-Type: text/html; charset=UTF-8 Date: Wed, 01 Apr 2015 09:54:14 GMT Expires: Wed, 01 Apr 2015 09:54:14 GMT Server: gws Set-Cookie: [redacted] X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Firefox-Spdy: h2-15

HTTP/2.0 200 OK Alternate-Protocol: 443:quic,p=0.5 Cache-Control: private Content-Encoding: gzip Content-Length: 33936 Content-Type: text/html; charset=UTF-8 Date: Wed, 01 Apr 2015 09:58:30 GMT Expires: Wed, 01 Apr 2015 09:58:30 GMT Server: gws Set-Cookie: [redacted] X-XSS-Protection: 1; mode=block X-Firefox-Spdy: h2-15 By omitting the X-Frame-Options header, allows the page to be displayed in a frame. As a result, anyone was free to display the Google search settings page within an iframe on their own site. By omitting the X-Frame-Options header, allows the page to be displayed in a frame. As a result, anyone was free to display the Google search settings page within an iframe on their own site.





Currently, the issue has been reported to Google team by Netcraft and its has been fixed now.

On April Fools day, Google used its owngTLD to launch a backwards version of its home page from the domain com.google . But this idea was technically not good for Google itself. In making pranks for its users Google had inadvertently broke some of the site's security.According to a blog post published Friday by researchers from Netcraft, Google undermined an important security feature on Google's real homepage, which made it vulnerable to user interface redressing attacks such as click-jacking.Attackers could have seized on the omission of the X-Frame-Options header to change a user's search settings, including turning off SafeSearch filters. The chief reason for using X-Frame-Options is to prevent the use of HTML iframe tags to display Google's homepage on third-party Web pages. With that protection bypassed, attackers were free to stitch the Google page into their own site and embed hidden code that changed the function of certain links.On the blog post researcher explained that -Google uses the X-Frame-Options HTTP response header to prevent other websites from displaying itself within an iframe. But for April fool pranks Google stepped around this problem by, which not only told it to display the content backwards, but also instructed the server to omit the X-Frame-Options header entirely.By dropping the X-Frame options Google allows a remote attacker to display the Google Search Settings page in an iframe on an external domain, and trick his victims into unwittingly changing those settings..Researcher have shown the two different responses, one of normal site and second of Fools day site.This is the ordinary response from Google search setting pageAnd this is with igu=2 parameter appended, where X-Frame-Options header was omitted from the response .