1

This is a follow up to This Question about controlling on what site(s) a page can be iframed.

I would like to use the accepted answer, but when a link inside the iframe is clicked, the referrer is then reported as the domain that hosts the framed content. Is there a server side way of prevening the site from displaying if it is not inside a frame? (apache, php5)

Here's what I'm trying to acheive:

My server generates some content. We want to share that content with specific other websites. We do not want this content to display by itself. If at all possible, I don't want to rely on client side script because it can be turned off. (setting the body tag or the main wrapper div to display: none doesn't really help, as the content is still there, in the source.)

Community
  • 1
  • 1
TecBrat
  • 3,643
  • 3
  • 28
  • 45
  • as far as I know there is no reliable way for the server to know what context it's being requested with. – Orangepill May 15 '13 at 20:18
  • cant you just reverse the conditions on the post you linked? i mean, check if the page has a window.parent, if yes display else display a forbidden error? – reikyoushin May 15 '13 at 20:20
  • Test if the referer is from the page that the iframe resides in. If not, then load the page it's supposed to reside in. – Funk Forty Niner May 15 '13 at 20:22
  • @reikyoushin I know I could detect it client-side. I am looking for a way to know before the HTML is sent to the client. I could probably come up with an ajax solution though. – TecBrat May 15 '13 at 20:23
  • there are things here that might give you some ideas.. http://stackoverflow.com/questions/6662542/check-if-site-is-inside-iframe – reikyoushin May 15 '13 at 20:23
  • @Fred, That works until a link inside the window is clicked. Then the referrer is changed to that of the framed content, so if I disallow the generating domain as a referrer, I can never go past the main page. If I allow the generating domain as a referrer, then "open in new window" or "...new tab" puts the page out there on its own. – TecBrat May 15 '13 at 20:26
  • @TecBrat Got it. There are ways of disabling a link to open in a new window/tab. I saw this a few weeks ago actually, just can't remember where I saw this. Javascript would need to be enabled for this to work, and we all know that Javascript can be disabled on the client-side. I use CSS to hide content which is embedded inside ``; works like a charm. – Funk Forty Niner May 15 '13 at 20:29
  • @TecBrat Instead of using an iframe, can you not just use an `include` file? – Funk Forty Niner May 15 '13 at 20:43
  • The iframe will be on other domains. (other servers that I do not control) So no, `include` will not work. – TecBrat May 15 '13 at 21:00

3 Answers3

1

It is impossible for PHP to know if the request come from inside a iframe, because it will have the exactly same form it would have if made at the top level window.

Why can't you use includes? In this case, there's a simple solution:

if (strcmp(basename($_SERVER['SCRIPT_NAME']), basename(__FILE__)) === 0){
    header("location: index.php");
}

Edit:

What I'm saying is that with iframes you can't control the access from the server side.

Lets imagine you have your main page index.php and the page that is iframed, like foo.php.

When you do <iframe src="foo.php"></iframe> a new HTTP request is made to the server, and it is almost the same than the request made for index.php.

With includes, you'd only have one request. One of the parameters of the request parsed by PHP server is the script name. When you do: GET /index.php HTT/1.1, the script name will be index.php.

Putting the code I showe you IN THE INCLUDED FILES will prevent them to be accessed directly, you can just reference them by an include.

Henrique Barcelos
  • 7,670
  • 1
  • 41
  • 66
  • If I follow the logic of your code, then it does exactly the opposite of what I am trying to do. If I don't follow the logic of your code, then please elaborate. – TecBrat May 15 '13 at 20:58
0

I don't think that the server (or server-side code) can possibly know whether the page is displayed inside of an iframe. The server serves page requests and has no knowledge of the presentation.

I think that the closest you can come on a server-side solution (in PHP) is to check the $SERVER['HTTP_REFERER']

If you absolutely must restrict access to the script to a frame, you will need something on the client that can examine the presentation. A couple of solutions for doing this in javascript are here and here

Community
  • 1
  • 1
Chris Ostmo
  • 1,202
  • 1
  • 10
  • 21
  • I had pretty much came to the same conclusion before I asked, but hoped that someone else knew something I was overlooking. – TecBrat May 15 '13 at 20:28
0

I faced the same problem solved with this:

$ref = $_SERVER['HTTP_REFERER'];
if($ref == '') {
exit;
}

An iframe's referer is the parent window's url so if the page to be iframed does not have an referer does not load so you get want

auto22
  • 63
  • 5