89

How can I find out that my page is embedded as a frame to other site during page loading? I guess referrer request header can't help me here? Thanks.

Andriy Kopachevskyy
  • 7,276
  • 10
  • 47
  • 56
  • Hi, John, I can't say I need complete solution here, just moving direction is enough, after I'm finding answer on my question I'm always post it as an answer, this is only way I can participate in community. – Andriy Kopachevskyy May 25 '10 at 08:44
  • Note: Setting the meta tag is useless! For instance, has no effect. Do not use it! Only by setting through the HTTP header like the examples below, X-Frame-Options will work. https://developer.mozilla.org/fr/docs/Web/HTTP/Headers/X-Frame-Options – xpredo Aug 16 '17 at 00:14

9 Answers9

106

You cannot check it from the server's side, but you can use javascript to detect it after the page has loaded. Compare top and self, if they're not identical, you are in a frame.

Additionally, some modern browsers respect the X-FRAME-OPTIONS header, that can have two values:

  • DENY – prevents the page from being rendered if it is contained in a frame
  • SAMEORIGIN – same as above, unless the page belongs to the same domain as the top-level frameset holder.

Users include Google's Picasa, that cannot be embedded in a frame.

Browsers that support the header, with the minimum version:

  • IE8 and IE9
  • Opera 10.50
  • Safari 4
  • Chrome 4.1.249.1042
  • Firefox 3.6.9 (older versions with NoScript)
Maerlyn
  • 33,687
  • 18
  • 94
  • 85
  • 2
    Since I stumbled in here via a google search, I'll add that Firefox added X-FRAME-OPTIONS in August, 2010 with FF3.6.9: http://michael-coates.blogspot.com/2010/08/x-frame-option-support-in-firefox.html – ThePants Mar 08 '12 at 20:28
  • From owasp https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Defending_with_X-Frame-Options_Response_Headers – ASKN Aug 07 '18 at 08:01
  • 1
    This answer is outdated. See [CSP](https://developer.mozilla.org/fr/docs/Web/HTTP/CSP). – samb102 Jun 21 '21 at 16:46
46

Stackoverflow includes some JS to test it (master.js). This is the relevant part of it:

if(top!=self){
    top.location.replace(document.location);
    alert("For security reasons, framing is not allowed; click OK to remove the frames.")
}

But keep in mind that JS can be disabled.

Felix Kling
  • 795,719
  • 175
  • 1,089
  • 1,143
  • This approach is particularly useful if you want to get a message to either the person that's putting your content in an iframe, or the end user of their site that's looking at your content in the iframe. – kevinmicke Aug 02 '17 at 18:40
33

For modern browsers, you can use CSP (Content Security Policy), which is a standard. The following header will prevent the document from loading in a frame anywhere:

Content-Security-Policy: frame-ancestors 'none'

(IE 11 needs the X- prefix, though). You can also change 'none' to the origin on which framing is allowed, such as your own site.

To cover the older browsers, this is best used together with @Maerlyn's answer.

Community
  • 1
  • 1
rvighne
  • 20,755
  • 11
  • 51
  • 73
  • 1
    Your answer is not clear enough with all due respect. Is this header code or PHP? For example. – Gary Carlyle Cook Aug 11 '16 at 13:39
  • 2
    @GaryCarlyleCook This is a HTTP header that should be part of the response to the browser when serving a page. It's not PHP code, though you could use PHP to send it; see [header()](http://php.net/manual/en/function.header.php) – rvighne Aug 11 '16 at 15:33
15

you can prevent loading you page in an iframe with javascript

<script type="text/javascript">
if ( window.self !== window.top ) {
    window.top.location.href=window.location.href;
}
</script>

this code change address of container of your page's iframe to your page address and force container to show your page.

iman
  • 6,062
  • 1
  • 19
  • 23
  • 1
    `sandbox` attribute on iframe allows to forbid such framing escaping hacks. So this way is not a secured way to prevent framing, in case your concern is security issues. – Frédéric Sep 03 '15 at 13:21
7

Or you can block a specific domain if you don't mind your content in some locations but don't want it on a certain site. For example, if offendingdomain.com was embedding your content, you could do this:

<script type="text/javascript">
    if(document.referrer.indexOf("offendingdomain.com") != -1) {
        window.location = "http://www.youtube.com/watch_popup?v=oHg5SJYRHA0";
    }
</script>

This would check the parent document's location and see if it's the offendingdomain.com that is embedding your content. This script will then send that iframe to a certain famous youtube video as punishment. In effect they just Rick-Rolled themselves.

earl3s
  • 2,393
  • 1
  • 23
  • 24
3

Use javascript to check if it was loaded on iframe by placing the following script at the end of your php file and redirect to a page that displays warning or notice that your page should not be loaded using iframe.

<script type="text/javascript">
if(top.location != window.location) {
    window.location = '/error_iframe.php';
}
</script>
jmslouie
  • 81
  • 2
1
<?php
    header("Content-Security-Policy: frame-ancestors 'none'");
?>
DaFois
  • 2,197
  • 8
  • 26
  • 43
Ugur Ergun
  • 21
  • 4
0

Replace hosname to domain name

if (window.top.location.host != "hostname") {
    document.body.innerHTML = "Access Denied";
}
Balaji
  • 9,657
  • 5
  • 47
  • 47
0

I using this PHP code on top of the header

if($_SERVER['SERVER_NAME'] != 'yourwebsite.com'){
   header('location: yourwebsite.com');
}

if someone did iframe your site it will redirect to your website

S.Santiphab
  • 1