Pinterest and using the X-Frame-Options header for security

Nancy was having some trouble getting her application to create Pinterest Rich Pins working. The validator tool (and tech support) were not very helpful. The error just said:

We were unable to retrieve any data from your URL.

Pinterest Validator tool failure

I tried verifying that there was no intra-AWS connectivity issues (Pinterest’s tool lives in AWS, but so does Nancy’s site),  but I could see in the Apache logs that Pinterest was getting an HTTP-200 OK response.

It then dawned on me that I had – in a fit of security consciousness – turned on click-jacking protection on all my self-hosted domains.

The only problem being, Pinterest uses an IFRAME to validate that your Rich Pins are correctly marked up with Schema.org tags. By using X-FRAME-OPTIONS: SAMEORIGIN, I was blocking the tool from framing the page, and thus validating the content.

Sure enough, turning the click-jacking protection off fixes it.

So, if you are seeing the error “We were unable to retrieve any data from your URL” with the Pinterest Rich Pins Validator, you may want to check your site to see if you’re using  X-FRAME-OPTIONS using SecurityHeaders.io’s handy tool.

About Graham

Forty-something gay geek living in Kings Cross with my collection of shiny computers and my fish.
This entry was posted in tech and tagged , , , . Bookmark the permalink.

1 Response to Pinterest and using the X-Frame-Options header for security

  1. Graham says:

    Update: just a few hours later, the validator tool is failing again, so I’m left thinking that Pinterest is just a bit crap.

Comments are closed.