Remote Host of iframe

Question

I have iframes over various websites. In my js, I'm hitting against a php file in a different domain. Is there a way to get the domain name for the server on which my iframes are hosted. (This is to prevent others hitting against my php file).

Example. I have a domain called www.domain.com and another call www.phpscript.com If my website is embeded in yahoo. Is there any way that I can find out that my js calls are coming from www.domain.com and not some dodgy website?

$_SERVER['REMOTE_HOST'] and $_SERVER['REMOTE_ADDR'] would not work in this situation, as REMOTE_ADDR would provide the users IP and REMOTE_HOST would return yahoo.

There's only the http referer, which is not always available, and most definitely never reliable. — Marc B, Jun 22 '12 at 04:01
That's a problem, it wouldn't be reliable enough :( and wouldn't it return `yahoo` as well? — Bankzilla, Jun 22 '12 at 04:27

score 2 · Answer 1 · edited Feb 16 '13 at 04:17

If you want to allow interaction across frames but only within a subset of domains, then you'd need to the Content Security Protection extensions. Currently this is only implemented in Firefox and Chrome (not MISE, don't know about Safari and Opera etc) but it's a w3c standard so expect everyone to join in eventually.

Hence for a php script runing on Example.com allowing access from other.com (or vice versa)....

$ok="'self',*.other.com,*.example.com";
$policy="default-src $ok; frame-ancestors: $ok";
header("X-Content-Security-Policy: $policy");
header("X-Webkit-CSP: $policy");
header("Content-Security-Policy: $policy");

NB there are other implications when you enable CSP.

score 0 · Answer 2 · edited May 23 '17 at 10:34

0

EDIT:

The OP wanted to do the reverse of what I initially interpreted the question as.

To prevent a site being accessed when it IS NOT in an iframe, you can use:

<script type="text/javascript">
if (window.top === window.self) {

    window.self.location = 'about:blank'; 
    window.self.onload=function(evt){ 
        window.self.location = 'about:blank'; 
        document.body.innerHTML=''; 
    };
    document.body.innerHTML='';
}
</script>

This requires JavaScript to be enabled, and will blank the page and redirect to about:blank (nothing) if the page is accessed outside of an iframe.

To preventing a page from being accessed when it IS in an iframe (original answer, still useful).

You can send the header X-Frame-Options: SAMEORIGIN (what Google does) to ask the browser to not display the content in a frame that's not on your domain.

PHP

header('X-XSS-Protection: 1; mode=block');
header('X-Frame-Options: SAMEORIGIN');

You could additionally work around this with JavaScript to stop access to the site through iframes:

if (window.top !== window.self) { 
    window.self.location = 'about:blank'; 
    window.self.onload=function(evt){ 
        window.self.location = 'about:blank'; 
        document.body.innerHTML=''; 
    }; 
    document.body.innerHTML='';
}

Both of these methods rely on the browser support, but it's better than nothing.

edited May 23 '17 at 10:34

Community

1
1

answered Jun 22 '12 at 04:17

Stecman

2,890
20
18

The site is built around being used in iframes. As it's a video player. So blocking the iframe isn't a solution. – Bankzilla Jun 22 '12 at 04:25
If you only had that JavaScript on the top frame, that would work - other frames don't have to have that script included (granted then a savvy user could embed the non protected frame). Are your frames loading full pages or just content. – Stecman Jun 22 '12 at 04:29
Has all the required html tags and the video player + it's components. – Bankzilla Jun 22 '12 at 04:31
You should be able to put that JavaScript on just the parent page then. At any rate, the headers you can set in PHP should be effective enough and won't prevent you accessing your own frames. – Stecman Jun 22 '12 at 04:39
The video players are on more than 100+ sites. They're also on different domains in which I don't have access too – Bankzilla Jun 22 '12 at 04:44
@Bankzilla Can you try to give a clearer example in your question? It seems to be a cross between preventing XSS attacks on your site and stopping people embedding your site in an iframe on other sites. _"The video players are on more than 100+ sites"_ - the code in my answer is to stop others embedding your site, neither will prevent you embedding other sites in yours. Again, please clear your question up. – Stecman Jun 22 '12 at 05:00
Has nothing to do with stopping users embeding the site as an iframe. I'm trying to stop outside sources hitting against `www.phpscript.com` so only `www.domain.com` is allowed to access the script inside of it – Bankzilla Jun 22 '12 at 05:03
let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/12889/discussion-between-stecman-and-bankzilla) – Stecman Jun 22 '12 at 05:04

Remote Host of iframe

2 Answers2