Selective Framebursting

Question

i would like to implement selective Framebursting for my iframe application.

My iframe is available at www.mywebsite.con/iframe.aspx?lic=1234

When the third party website hosting my iframe is (PayedWebsited1.con OR PayedWebsited2.con) AND the lic=1234 option also exists, display the iframe. For any other cheaters, display bananas!

How can i do it?

Answer 1

The thing is, that licence number won't help in any way - whether you will use server-side solution or in javascript. Cheaters will be able to see that licence number in PayedWebsite1.com.

As was said, you cannot get the parent frame location, but you can get the referrer - it equals to the parent frame, if your page is loaded in iframe.

if (window.top.location !== document.location) {  // only if we're in iframe
                           // we get host of our referrer
    var host = document.referrer.match(new RegExp("(http|https)://(.*?)/.*$"))[2];
    host = host.toLowerCase();  // convert to lower case
    var myHost = document.location.host.toLowerCase();
    if (
        host !== myHost                  // so we can click on links in an iframe
        && host !== 'payedwebsite1.com'
        && host !== 'payedwebsite2.com'
    ) {
        window.top.location.href = document.location.href;
    }
}

Be awared, that this technique can be beaten. More info at http://javascript.info/tutorial/clickjacking

For newer browsers, you can send special header:

X-Frame-Options: DENY

The logic keeps the same, only in server-side. Check Referrer, if PayedDomain or your own domain, just keep going. Otherwise, send this header.

Answer 2

If it is possible for your third party users to include a javascript file, or ideally send a request in ASP prior to drawing the page, this is what I would do:

Javascript

1. Build a ASP (I do PHP, so my example is in PHP) page on your server that checks the referrer and the license number to match an account in your database. The ASP file should then output javascript functions that will replace or insert into the element your specified iframe with a "one-time-use" key that you generate. The file might look similar to this:

   <?php
   $lic = $_GET['lic']; // Do better validation (short for demo purposes)
   if (valid_license($lic, $_SERVER['HTTP_REFERER'])) {
       $one_time_key = get_access_key($lic);
       ?>
       function drawIframe() {
           document.getElementById('iframe_target').innerHTML = "<iframe src='mysite.php?key=<?php echo $one_time_key;?>'></iframe>";
       }
       <?php
   }
   else {
       echo "You are not authorized to use this service.";
   }
   

2. Have your customer include this javascript code as a replacement of your iframe, in a fashion similar to this:

   <script src="http://www.yoursite.com/preauth.php?lic=1234"></script>
   <script>drawIframe();</script>
   <div id="iframe_target"></div>
   

3. On the page that is loaded by the iframe, immediately check the key that you generated against the value passed to the iframe. If it is valid, immediately delete or change the status of the key so that you know it's been used. Then display appropriate application.

   • This javascript method will be the least painful method for your third party users, although it can be beat (users could change the "referer" that is sent to your server, although it is unlikely.)

ASP

If you can get your users to make a request to your url within their server, you will eliminate exposing any risky information like the license to the user. They could call something like $key = file_get_contents("http://www.yoursite.com/preauth.asp?lic=1234"); Immediately after they can output the iframe with the one time use key that you just generated.