35134

Preventing IFRAME embedding, but with one exception

Question:

Let's say we have a web-page at a given location (like www.foo.com/page1.html) and that page contains this (global) code:

if (self != top) { top.location.replace(location.href); }

So, if we try to load that page into an IFRAME, the page will "jump" out of the iframe into the browser window, which will (as a consequence) destroy the page that contained the iframe.

This is OK, but I would like to implement an exception to that rule. Specifically, there is this other page on a different domain (like www.bar.com/page2.html), and I would like that this other page <strong>is</strong> able to embed the first page via an IFRAME.

How would I have to modify the code of the first page, so that it allows to be embedded into the other page?

Is this OK?

if (self != top && top.location.href !== "http://www.bar.com/page2.html") { top.location.replace(location.href); }

Answer1:

I doubt you'll be able to check the external parent page's URL because the <a href="https://developer.mozilla.org/en/Same_origin_policy_for_JavaScript" rel="nofollow">Same Origin Policy</a> should prevent access to any of its properties.

Maybe there is some trickery that I'm aware of that allows it anyway. Barring that, the best idea that comes to my mind is checking document.referrer. As far as I know, a document requested in an iframe will always have the embedding page's URL in the referrer across browsers.

If the referrer is http://www.bar.com/page2.html, the page is either in an iframe on that page, or it was linked to from there (which is the only really big shortcoming of this method: You can't tell for 100% sure whether it's an incoming link, or an iframe embed).

Obviously, the document's referrer is spoofable by the client but I don't think that's an issue here.

Answer2:

If you pass X-FRAME-OPTIONS http header with the value of SAMEORIGIN, most modern browsers (including IE8) will not let the content be iframed from an alien domain.

I thought it may help.

Recommend

  • Apache Solr 6.1.0 cores being deleted when solr restart
  • In MySQL trigger, is it possible to set a user variable with NEW.col and use that in update query?
  • issue using deepcopy function for cython classes
  • Generic access to DbContext
  • Using `rand()` with `having`
  • Angular how to deal with unavailable URLs requested by $http.get or $http.jsonp, which are executed
  • How to visualize k-means centroids for each iteration?
  • How to handle a nullable foreign key field in Entity Framework?
  • How to launch an activity when lock screen is enabled?
  • Flask Blueprints: How to use them?
  • concatenate multiple rows to one single row in pandas
  • Render Images in tic tac toe app using reactjs
  • Azure Container Group IP Address disappeared
  • Manipulating a group view in a ExpandableListView from the child view
  • angular 2 websql typings
  • EF: one-to-one relationship
  • Combine rows with same id and delete duplicated rows
  • c# selenium chrome-webdrive clicking button using class and title
  • How to display asterisk for input in Java? [duplicate]
  • Accessing Dictionaries VS Accessing Shelves
  • Bulk loading into PostgreSQL from a remote client
  • Python List of Tuples (Find value with key + check if exist)
  • iOS App crash issue `[UIWindow warpPoint:]`
  • How to sort by Lucene.Net field and ignore common stop words such as 'a' and 'the
  • Why am I getting an Argument exception when creating event handler dynamically?
  • ASP.NET GridView throws: The version of SQL Server in use does not support datatype 'date'
  • Multiple canvases (pages) in Fabric.js
  • Update all WooCommerce product prices to 2 decimals in database
  • Find all parks for a given zipcode with google maps
  • VBScript InputBox and Help Files
  • content must have a ListView whose id attribute is 'android.R.id.list'
  • How to add html image in to velocity template file to send email?
  • Keep rows with certain values always at the bottom while sorting in jquery tablesorter plugin
  • How convert html to BBcode in C#
  • Comparing variables with strings bash
  • how to snap two objects in runtime in unity?
  • Using redis as an LRU cache for postgres
  • How to get rgb from transparent pixel in js
  • Write to .csv file with PHP (Commas in Data Error)
  • JavaScript RegExp Replace