How to prevent anauthorized use of website content?

Question

In the past our company had an agreement that a local news agency could embed some maps we had on our website. They would iFrame in the maps, and I'm told that we had some logic in place to prevent anyone other than the news site from doing the same thing (possibly via some kind of referral agent)?

We recently have moved to our maps application being hosted on Amazon S3, and iFramed into our own page. The topic of preventing unauthorized embedding has popped up again.

I do not have access to the previous code to see how this was done, but I'm assuming it was some sort of header check on the previous aspx page. Now that the map application is completely static on S3, I do not believe something like this would be possible.

Could anyone weight in or point me in the direction of what I can search for? None of my searches have turned up anything useful (probably just using the wrong keywords).

Thanks in advance!

score 1 · Answer 1 · answered Oct 01 '12 at 16:47

1

The most reliable way is with JavaScript (when it's enabled)

if(top != self) alert("Y U EMBED IN FRAME?");

There's even a Wikipedia article on the topic http://en.wikipedia.org/wiki/Framekiller

answered Oct 01 '12 at 16:47

Prinzhorn

22,120
7
61
65

Thanks, I'll check this out to see if this approach can be extended for a whitelist of pages (i.e. embeddable in our pages and our partners). – hypno7oad Oct 01 '12 at 16:55
For security reasons you can't easily access the url of the parent page (http://stackoverflow.com/questions/7574926/access-iframes-parent-url). You can't use the approach mentioned there, because the host page could easily manipulate the code. Maybe you can take another route like Disqus. They wrote a book about it http://www.amazon.com/Third-Party-JavaScript-Ben-Vinegar/dp/1617290548/ – Prinzhorn Oct 01 '12 at 17:07
Thanks a lot, I will definitely put that book into my reading list. – hypno7oad Oct 02 '12 at 17:33

hypno7oad · Answer 2 · 2012-10-02T21:38:23.643

0

Ok, so someone cleared this all up for me. The previous 'logic' was simply white listing the HTTP Referrer header. With that info, I was able to narrow my search and find the following on Amazon's S3 FAQ http://aws.amazon.com/s3/faqs/#How_can_I_control_access_to_my_data_stored_on_Amazon_S3

edited Oct 02 '12 at 21:38

answered Oct 02 '12 at 20:45

hypno7oad

1,441
1
19
28

How to prevent anauthorized use of website content?

2 Answers2