Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

how to block website from loading in iframe?

Recently i tried to load youtube website in an iframe, but i checked that it's not worked. i used this simple code.

<!DOCTYPE html> <html> <head> <title></title> </head> <body> <iframe width="1000px" height="700px" src="http://www.youtube.com" ></iframe> </body> </html> 
  1. i want to know , why my webpage can't load youtube website in iframe..

  2. what code i use to load the youtube website in my webpage.

  3. how i use same techniq in my website, so no one can add my website in iframe.

like image 870
Rishi Kumar Avatar asked Nov 07 '13 17:11

Rishi Kumar


People also ask

How do I restrict an iframe?

Thankfully, the ability to restrict iframes is supported by IE 10, Firefox, Chrome, and Safari. It's called the sandbox attribute. Just adding the sandbox attribute is enough to severely lock down an iframe.

Does iframe block page load?

Whereas iframes are typically used to include one HTML page within another, the Script in Iframe technique leverages them to load JavaScript without blocking, as shown by the Script in Iframe example.

How do I stop a page from being Iframed?

There are two primary methods: 1.) Sending an X-Frame-Options HTTP response header that instructs the browser to disable framing from other domains. An example of using PHP to send the X-Frame-Options header.


2 Answers

For modern browser, need to enable X-Frame-Options in Header, The x-frame-options header can be implement through web server configuration settings.

You can view the X-Frame-Options in Header as like below image, enter image description here

Reference: https://www.keycdn.com/blog/x-frame-options/

If your browser does not support it, then you will have NO clickjacking defense in place and can use HTTP Header Field X-Frame-Options,

  <meta http-equiv="X-Frame-Options" content="deny"> 

There are three possible values for X-Frame-Options:

DENY - The page cannot be displayed in a frame, regardless of the site attempting to do so.

SAMEORIGIN - The page can only be displayed in a frame on the same origin as the page itself.

ALLOW-FROM uri - The page can only be displayed in a frame on the specified origin.

like image 85
Krish R Avatar answered Sep 24 '22 05:09

Krish R


As of April 2016 the accepted answer by Krish R no longer works. Most browsers now ignore the meta tag as recommended by RFC 7034.

The correct way to implement this header is to have it sent with the document by the server. See the mozilla documentation on X-Frame-Options for details.

like image 37
mwoodman Avatar answered Sep 21 '22 05:09

mwoodman