Load iframe on specific domains only

Question

I want to allow some websites to embed an iframe with a page from my domain. However, I don't want anybody to be able to use the iframe content without my permissions. How can I allow only domains of my choice to be able to embed the iframe with the page's content?

I know vimeo does this, and allows video owners to block the video on certain websites that they don't find appropriate.

I want server side ASP.NET solution, because Javascript code can be altered. However if it can be done using javascript code and its secure, It's ok.

From what I've seen, I need to pass the referrer in some way, but in a way that can be manually altered by other website owners to include the iframe themselves and it would work on their website too, without a permission.

You can inspect the [header referrer](http://stackoverflow.com/questions/4258217/getting-the-http-referrer-in-asp-net) and/or use an API or system key that's embedded in the URL or in your Javascript. Oh, and I want a puppy. — Jared Farrish, Jul 15 '12 at 18:10
Is it a standalone page that you want to allow framed, or is it a framed page which will lead to other pages in your domain, which you also want framed? — Mendhak, Jul 15 '12 at 18:15

score 2 · Accepted Answer · edited May 23 '17 at 12:12

Since it will be a standalone page as you mentioned in the comments, you can do this by inspecting the referer property.

Request.UrlReferrer

See that it contains the domain that you want to allow. This property is available when an embedder puts your page in the IFRAME's SRC attribute and the page loads for the first time.

If the user clicks on a link inside the IFRAME, it is not guaranteed to pass the containing page as a referrer.

If you want to allow multiple linked pages inside the IFRAME to allow a specific domain, then you will need to stick to a JavaScript based solution.

Note however that neither method is completely foolproof.

Load iframe on specific domains only

1 Answers1