0

Scenario is this: Parent.com can have a 'html only' file and it has iframe with Iframe.com (php that i have full \controll ).

Question is this: How can i check if iframe.com is loaded only by parent and cant be iframed by other domains

EDIT: Some solution suggest checking Referrer but this can be spoofed.

user891908
  • 261
  • 3
  • 15
  • You can check the IP address of the server which is hosting parent.com (I believe it's $_SERVER['REMOTE_HOST']). Of course, there can be other sites on the server as well so it's not very secure. – alex.ac Nov 12 '12 at 19:10
  • @alex.ac — How? It's an iframe. The request comes from the client, not the server of the site with the iframe on it. – Quentin Nov 12 '12 at 19:12
  • Sorry, you are right, it's the client's IP. It seems that the referer is the only option. – alex.ac Nov 12 '12 at 19:21
  • If you have the option to use .htaccess files, then maybe this can be useful as well: http://stackoverflow.com/questions/5224286/how-to-limit-display-of-iframe-from-an-external-site-to-specific-domains-only – alex.ac Nov 12 '12 at 19:26

1 Answers1

1

referer is as close as you can get before getting into really complicated territory.

While it can be spoofed, it can only be spoofed by the client. A third party website couldn't make the client spoof it.

That said, referer is optional. Browsers don't have to send it, and they tend not to under quite a lot of circumstances (such as when the referring document was served over HTTPS).

The following might work…

  1. iframe.example.com uses server side code to request a token from framed.example.net, the request includes the ip address of the browser and a password authorising iframe.example.com to frame framed.example.net
  2. framed.example.net generates a token and gives it to iframe.example.com, registering it against the ip address of the browser
  3. iframe.example.com generates a URI with the token in the query string and uses it as the src to the iframe
  4. framed.example.net checks that the token exists and the ip address in the record matches the ip address the request came from (the browser)

This will generate false negatives when the browser doesn't have a consistent ip address (such as when behind a group of proxy servers, which I seem to recall is quite common in cellular broadband), so I wouldn't recommend it.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335