Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to prevent IFRAME from redirecting top-level window

Some websites have code to "break out" of IFRAME enclosures, meaning that if a page A is loaded as an IFRAME inside an parent page P some Javascript in A redirects the outer window to A.

Typically this Javascript looks something like this:

<script type="text/javascript">
  if (top.location.href != self.location.href)
     top.location.href = self.location.href;
</script>

My question is: As the author of the parent page P and not being the author of the inner page A, how can I prevent A from doing this break-out?

P.S. It seems to me like it ought to be a cross-site security violation, but it isn't.

like image 674
Jason Cohen Avatar asked Sep 25 '22 03:09

Jason Cohen


1 Answers

With HTML5 the iframe sandbox attribute was added. At the time of writing this works on Chrome, Safari, Firefox and recent versions of IE and Opera but does pretty much what you want:

<iframe src="url" sandbox="allow-forms allow-scripts"></iframe>

If you want to allow top-level redirects specify sandbox="allow-top-navigation".

like image 133
Pankrat Avatar answered Oct 26 '22 22:10

Pankrat