3

I am developing an iframe for use on a number of our partners websites.

Is there any way I can make sure it can only be used on those websites and not by anyone else

I was intending to add a compulsory querystring to the URL for the website. Each partner would have a different value in the quesrystring dnd use that to look up an allowed domain

However, is there anyway to know the top level domain of the site hosting the iframe?

Presumably this is not sent in the http request for the iFrame? Or is it, I couldn’t see it?

Or do you need to send the domain from javascript?

Any advice?

ChrisCa
  • 10,876
  • 22
  • 81
  • 118

4 Answers4

6

However, is there anyway to know the top level domain of the site hosting the iframe?

Nothing reliable.

Presumably this is not sent in the http request for the iFrame? Or is it, I couldn’t see it?

It might be sent in the referer

Or do you need to send the domain from javascript?

If you want to fetch it from the framed page, you will be blocked by the same origin policy.

If you want to sent it from the framing page, you will be putting it in the query string and you can't trust it because it can be set to whatever the person writing the framing page likes.

There is also the X-Frame-Options header (but that has limited browser support).

The most reliable solution I can think of is:

  1. Require the origin to be specified in the query string used to load the frame
  2. Check the referer. If it doesn't match your white-list and is not blank, redirect to a page that is blank except for a link to your site with target="_top" and some JavaScript that top.location = "your site"
  3. Check that the origin specified in the query string is on your whitelist, if it isn't act in the same way as a rejected step 2
  4. Output an X-Frame-Options header that limits the framing to the specified origin

That is likely to catch enough browsers to discourage the framing site from framing your site.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • +1. (more details than mine - so nicer). I believe the most reliable option is to get parent's origin via `postMessage` as there is nothing in browser that can alter source of the message (but this option is already covered by OP "or do you need to send the domain from javascript"). – Alexei Levenkov Jan 30 '13 at 18:07
  • What do you think about the second answer in this post? http://stackoverflow.com/questions/5881139/how-to-block-iframe-call Can I compare window.parent.location.href, or top.locatio.href, to a whitelisted url? And do this is my iframe. I can inject the whitelisted site into the javascript of the iframe. Is that a good approach? – ChrisCa Jan 31 '13 at 15:53
  • Which second? Three are three different ways answers can be sorted on SO. *Can I compare window.parent.location.href, or top.locatio.href, to a whitelisted url?* — No. You can't read the location of other frames when they are pointing to different domains. – Quentin Jan 31 '13 at 15:54
  • the one with the parentIsSameOrigin() function as an answer. Instead of checking they are the same origin, I am thinking I could compare the parent.location.href to a whitelisted url injected into the javascript (all in the iframe). Are you saying you can't read the parent's URL from an iFrame? – ChrisCa Jan 31 '13 at 16:01
  • You can only read the parent (or any different) frame's URI if it is on the same origin. Otherwise you could get potentially sensitive data about a user by framing a third party site. – Quentin Jan 31 '13 at 17:02
1

You can try to check referrer which normal browser will send for IFrame requests on the page.

You also can use "x-frame-options" header covered in (How to Block Iframe call and MDN ) but not every browser will respect that (on other hand it is more reliable if browser supports it).

Community
  • 1
  • 1
Alexei Levenkov
  • 98,904
  • 14
  • 127
  • 179
0

iframe's sanbox attribute might be helpful in controlling the various security aspects in an iframe including origins
http://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/

Gokul Kav
  • 839
  • 1
  • 8
  • 14
  • +0 - unless I'm completely mistaken sandbox lets parent to control behavior of an IFrame, which is opposite of what OP asks - how to control from IFrame where it allowed to work. – Alexei Levenkov Jan 30 '13 at 18:04
0

The Architecture Journal of 2007 has a nice article about this: Secure Cross-Domain Communication in the Browser

Basically what the article suggests is: If you have page A on domain 1 with an iframe with page B on domain 2 as its source , then having an iframe on page B to page C on domain 1, would allow you to pass information across domains enter image description here

I haven't tested it, but this sounds like it could work.

Another possibility is create a file with a special filename (for instance a hash of the URL of page B on domain 2) and basic extension (like .htm) and place it in the root of domain 1. Checking whether the file exists on domain 1 cannot be done by javascript however, so it should be done with server side code.

Daniël Tulp
  • 1,745
  • 2
  • 22
  • 51