Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can iframe pages tell when they are iframed?

So I know that if I include an iFrame to a page that is not on the same domain I can't access that iframe's DOM via browser policy, but can a page that is in an iframe do any kind of parent document accessing?

Specifically I have to ideas that are contingent on this question:

  1. If the embedded page can tell that it is not the parent window, one could make either sites that are un-iframe-able so that if the page detects it is iframed it changes to a "Go Away" page OR you could make it only-iframe-able (similar to a server-side script for pages that are only meant to be includes), so that going to the page when it's not iframed would get a "Go Away" page.

  2. If the iframed page has certain liberties that the parent window does not, it could request the stylesheet of the parent window and set it as its on stylesheet, thus making the site integrate more with the parent document. (Of course, then I could just make my stylesheet relate more to the iframed site, knowing it will do this, but I don't see that as an issue).

Anybody know?

like image 662
Anthony Avatar asked Oct 02 '09 13:10

Anthony


2 Answers

With regards to #1, yes, you can tell if you are being framed using some simple javascript:

<script type="text/javascript">
if (self != top)
{
  // Framed!
}
</script>

Regarding #2, I'm not sure what you can do using the "top" variable, but I do know that you can change it's location (so if your site is framed by another site, you can have your frame change the location of the top frame - essentially redirecting the user directly to your site).

Not sure what else you can or can't do to the top frame though - someone else might be able to provide more information there.

like image 53
Eric Petroelje Avatar answered Nov 22 '22 22:11

Eric Petroelje


You might also be interested in this Coding Horror article about detecting frames. You can detect whether you've been framed, but there are also countermeasures that the "parent" page can take to prevent you from acting on that. Example from the article:

Detect whether you've been framed:

if (parent.frames.length > 0) {
    top.location.replace(document.location);
}

Prevent a frame from detecting and redirecting:

   var prevent_bust = 0  
   window.onbeforeunload = function() { prevent_bust++ }  
   setInterval(function() {  
     if (prevent_bust > 0) {  
       prevent_bust -= 2  
       window.top.location = 'http://server-which-responds-with-204.com'  
     }  
   }, 1)  
like image 35
ine Avatar answered Nov 22 '22 21:11

ine