2

I am using this code on a page with a video stream to prevent people from iframe it:

<script>if(self != top) { top.location = self.location; }</script>

but now i would like to allow one or more domains to embed the page using iframe. I looked on stackoverflow and found this:

<script type="text/javascript">
if (window.top.location.host != "website.com") {
document.body.innerHTML = "Access Denied";
}
 </script>

But it doesn't work. I know there must be a way because i remember 2 years ago a website that had something like this and when i tried to embed their page with iframe, it redirected me to an adult website and the iframe only worked on their domain.

Looks like i solved the problem

<script>
if (top.location.host != "example.com") {
    window.location.href='http://example.com/redirected';
}
</script>
BeBe
  • 127
  • 1
  • 3
  • 9

1 Answers1

1

This is not the correct way. You should be using this instead:

https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options

<meta http-equiv="X-Frame-Options" content="deny">

or:

<meta http-equiv="X-Frame-Options" content="sameorigin">

That's because the javascript can easily be bypassed from the parent window.

Browsers that support it:

  • IE8
  • Safari
  • Chrome
  • Firefox with the NoScript addon

EDIT: Seeing as you want to use cross-site scripting, you will have to get around the same-origin policy.

Community
  • 1
  • 1
user1094607
  • 147
  • 2
  • 12
  • That dosen't do anything for me, and i don't have access to the server configuration. To put it more simple, i want to put a javascript code so if i am embeding that page on example.com it works just fine, but if somebody else is trying to embed the page on their website, the parent frame is redirected to example.com. So something like this: check if parent frame is example.com, if not, redirect to example.com – BeBe Aug 14 '13 at 20:21
  • @NaeAlexandru It may get blocked anyway by the users browser because it gets classified as cross-site scripting which is not safe. You need an alternate method: The site should contact your server, and your server-side script should handle the authentication/referrer and deliver the correct contents. – user1094607 Aug 14 '13 at 20:23
  • Another way would be to use JSONP and AJAX. The site 'example.com' could request the JSON object from a key URL on your server, but again to prevent other sites from using it you need to check the referrer or authenticate the user. – user1094607 Aug 14 '13 at 20:26
  • i forgot to mention that the page iframed is on example.com and the embed will be on subdomain.example.com (if that helps). and the pages are html. That guy did it back then, why can't i? :( I remember that it was a simple script like the one i posted above... – BeBe Aug 14 '13 at 20:30
  • @NaeAlexandru Because of the Same Origin Policy: http://en.wikipedia.org/wiki/Same-origin_policy – user1094607 Aug 14 '13 at 20:32
  • solved with this: `` – BeBe Aug 14 '13 at 20:50
  • @NaeAlexandru Again, this JS method can easily be bypassed from the parent page, which owns the iframe, which is why it is useless. If somebody really wanted to embed your iframe they would know how to do it. There is a method which involves inserting a script into the DOM before the page has loaded, as the first script element which has some more JS code to render your script useless. – user1094607 Aug 23 '13 at 15:22