Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to allow iframe embedding only for whitelisted websites?

Tags:

html

forms

php

iframe

referer

I've a form that I'd like to embed in a website, which is on my whitelist.

Other websites, that try to embed it, should get only an error page. 

<iframe src="https://domain.tld/getForm.php?embed=1&formId=123456"></iframe>

I was hoping that I could use $_SERVER['HTTP_REFERER'] in getForm.php to check the embeding website, but it's not working.

Does anyone know a best practise or any workaround?

Thanks in advance!

like image 626
Mr. B. Avatar asked Sep 14 '16 05:09

Mr. B.

People also ask

How do I allow a website to be embedded in iframe?

Step 1. Go to the page or item you would like to share, choose the Embed option, and copy the code. The following image uses a YouTube video as an example. If your site does not have an embed option, you can get the code by going to Embedly and pasting the URL like so.

Which is better iframe or embed?

In general, IFRAME is currently the most populat tag, and EMBED is supposedly being deprecated. The three tags can handle video, but here it is generally better to use the VIDEO tag, as the was created specifically for this particular use. You can read more about video on websites here.

Why is iframe not allowed?

You cannot bypass embedding sites like google in an iframe because they add x-frame-options headers (deny or sameorigin). Browsers that support those headers simply won't allow it. If you just need to get data from a page and show it, you could get the data server-side, but this is probably not your intentions.

How do I create an embeddable iframe?

To embed an iframe in a content page, select Interactive layout, choose the HTML block and paste the iframe code there. You can adjust the iframe width and height properties. To embed an iframe using the Old (Classic) editor, click on the Embed Media icon and paste the code in the appropriate field.

1 Answers

Content Security Policy headers are now the recommended approach.

Example from MDN:

// iframe can be embedded in pages on the origin and also on https://www.example.org
Content-Security-Policy: frame-ancestors 'self' https://www.example.org;

For more details see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

like image 88
Josh Mc Avatar answered Sep 27 '22 20:09

Josh Mc
Sign in to Comment

Related questions

Laravel - validate file size when PHP max upload size limit is exceeded
Laravel 5 how to set Cache-Control HTTP header globally?
When to use Repository vs Service vs Trait in Laravel? [closed]
Why do I get "Resource id #4" when I apply print_r() to an array in PHP? [duplicate]
Split string into equal parts using PHP
PHP global variable is undefined inside a function even if global keyword is used
PHP: how to fill an array with keys and values so 1 = 1, 2 = 2, 3 = 3 etc
Doctrine - or where?
Best way to internationalize simple PHP website
Codeigniter: Email attachment of last emails not cleared while sending multiple emails in loop
SimpleXMLElement cannot be found when working with namespaces
Can I assign a value to a $_POST variable in PHP?
How to convert a decimal into time, eg. HH:MM:SS
PHP Builder pattern without inner classes
Best way to compress string in PHP [duplicate]
PHP class constructor in interface or class
swap two words in a string php
build php5.3.8 on ubuntu , get error: configure: error: Unable to locate gmp.h
How to solve the issue - please install the "intl" extension for full localization capabilities
Get .tld from URL via PHP

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!