Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Checking if a website doesn't permit iframe embed

I am writing a simple lightbox-like plugin for my app, and I need to embed an iframe that is linked to an arbitrary page. The problem is, many web sites (for example, facebook, nytimes, and even stackoverflow) will check to see if is being embedded within a frame and if so, will refresh the page with itself as the parent page. This is a known issue, and I don't think there's anything that can be done about this. However, I would like the ability to know before hand if a site supports embed or not. If it doesn't, I'd like to open the page in a new tab/window instead of using an iframe.

Is there a trick that allows me to check this in javascript?

Maybe there is a server-side script that can check links to see if they permit an iframe embed?

I am developing a browser extension, so there is an opportunity to do something very creative. My extension is loaded on every page, so I'm thinking there's a way to pass a parameter in the iframe url that can be picked up by the extension if it destroys the iframe. Then I can add the domain to a list of sites that don't support iframe embed. This may work since extensions aren't loaded within iframes. I will work on this, but in the meantime....

Clarification:

I am willing to accept that there's no way to "bust" the "frame buster," i.e. I know that I can't display a page in an iframe that doesn't want to be in one. But I'd like for my app to fail gracefully, which means opening the link in a new window if iframe embed is not supported. Ideally, I'd like to check iframe embed support at runtime (javascript), but I can see a potential server-side solution using a proxy like suggested in the comments above. Hopefully, I can build a database of sites that don't allow iframe embed.

like image 280
Matt De Leon Avatar asked Sep 14 '11 20:09

Matt De Leon


3 Answers

Check x-frame-options header by using following code

$url = "http://stackoverflow.com";
$header = get_headers($url, 1);
echo $header["X-Frame-Options"];

If return value DENY, SAMEORIGIN or ALLOW-FROM then you can't use iframe with that url.

like image 135
vinod Avatar answered Nov 19 '22 17:11

vinod


Probably pretty late but what you need to do is make a request, likely from your server and look for the x-frame-options header. If it's there at all you can just open a new tab because if it is there is is one of the following: DENY, SAMEORIGIN, ALLOW-FROM. In any of these cases it's likely that you don't have access to open it in an iframe.

like image 24
ars265 Avatar answered Nov 19 '22 18:11

ars265


This subject has been discussed forever on the web with a particularly interesting (failed) attempt here:

Frame Buster Buster ... buster code needed

The bottom line is that even if you are able to construct a proxy that parses the contents of the page that you want in your iframe and removes the offending code before it is served to the iframe you may still come under "cease and desist" from the site if they get to hear about you doing it.

If you don't want your development to be widely available, you could probably get away with it. If you want your development to become popular, forget about it, and build a less underhand way of dealing with it.

Or develop it for mobile only... ;)

UPDATE: OK following on from your comment here's a bit of taster:

in javascript capture the click on the link

$("a").click(function(e){

    preventDefault(e); // make sure the click doesn't happen

    // call a server side script using ajax and pass the URL this.href
    // return either a true or false; true = iframe breakout
    // set the target attribute of the link to "_blank" for new window (if true)
    // set the target attribute of the link to "yourframename" for iframe (if false)
    // only now load the page in the new window or iframe
});

server side in PHP

$d = file_get_contents($url); // $url is the url your sent from the browser
// now parse $d to find .top .parent etc... in the <head></head> block
// return true or false 
like image 1
T9b Avatar answered Nov 19 '22 18:11

T9b