Menu
We've been having an problem recently where other sites are running our e-commerce site inside a frameset where our site (with the offenders affiliate id tacked on) is the only content in a single full width frame. So essentially it looks and feels like our site with their URL at the top. We can cut off their affiliate id, which would make it pointless for them to do, but this doesn't prevent future offenders from doing the same thing until we find out about it.
Is there a generic way (through JavaScript that appears on every page perhaps?) to prevent this from happening? Note that adding targets to to all links is not feasible, but adding a snippet of JS to all pages is, since the header and footer portions are shared sitewide from a single source.
Another possibility would be at the Apache level (if there is anything we could do server side) as we do pass all requests through mod-rewrite.
Note that it would be essential to sill allow pages to load inside an IFrame if the parent page originates from our domain, as we make valid use of IFrames
414
1.) Sending an X-Frame-Options HTTP response header that instructs the browser to disable framing from other domains. An example of using PHP to send the X-Frame-Options header.
Can I hide content inside an iframe from an external domain? Yes totally doable. Once you assign the parameter to a var, you could then do anything you want… like a hide() on an element.
The X-Frame-Options response headerDENY : The page cannot be displayed in a frame, regardless of the site attempting to do so. SAMEORIGIN : The page can only be displayed in a frame on the same origin as the page itself. ALLOW-FROM uri : The page can only be displayed in a frame on the specified origin.
Use sandbox attribute. <iframe src=”Site_URL” sandbox=””> – Full Protection. <iframe src=”Site_URL” sandbox=”allow-forms allow-scripts”> – Allow form submission and scripts to run.
I've heard of solutions to this problem being referred to as a "frame popper script". A quick google comes up with this thread. Looks like this is one of the simplest:
if (window != top) top.location.href = location.href;
I believe the proper modern method to achieve this is with The X-Frame-Options response header.
From the MDN:
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
Take a look at: How to prevent IFRAME from redirecting top-level window
36
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
