Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to limit display of iframe from an external site to specific domains only

I operate a service where a client's content is prepared and displayed in an iframe. The client then copies a rudimentary iframe html tag and pastes it into their web page. Some clients complain that other websites are copying the iframe tag and pasting it into their sites.

Is it possible to restrict the display of an iframe's content to a specific domain or domains? Perhaps by programmatically telling the iframe that its parent must be some-domain.com or else don't display.

Does this make sense? I can sometimes be too verbose.

like image 768
Marci Avatar asked Mar 07 '11 19:03

Marci


People also ask

How do I restrict an iframe?

Thankfully, the ability to restrict iframes is supported by IE 10, Firefox, Chrome, and Safari. It's called the sandbox attribute. Just adding the sandbox attribute is enough to severely lock down an iframe.

Can I load an iframe from a different domain?

Generally, web application allows script running between pages(parent and iframe pages) in the same domain based on same-origin-policy. Unfortunately it does not support scripts if different domain. The policy does not allow it.


2 Answers

you can use an .htaccess (assuming the original content is on an Apache server) to limit the access to a specific IP.

Or, if the page is a PHP, you could limit it to a specific domain, like this:

    <?php
$continue = 0;
if(isset($_SERVER['HTTP_REFERER'])) {

    //correct domain:
    $ar=parse_url($_SERVER['HTTP_REFERER']);
    if( strpos($ar['host'], 'yourdomain.com') === false ){
    } else {
        $continue = 1;
    }

}

if($continue == 0){
    header('HTTP/1.0 403 Forbidden');
    exit('Forbidden');
}

?>
like image 179
jackJoe Avatar answered Sep 21 '22 11:09

jackJoe


Sounds like a check that is better made server side - you can check the iFrame markup against a list of valid domain names (or parent domain names) and reject it if they are invalid.

You could do all of the above in javascript, before injecting the iFrame into the page, but if javascript is off, your validation will not work, not to mention that with development tools on the client any javascript can be modified.

like image 22
Oded Avatar answered Sep 20 '22 11:09

Oded