disable iframe embedding for other websites

Question

I want to disable iframe embedding pages, from my website to other websites and I make this js:

<script type="text/javascript"> if(document.referrer.indexOf("mydomain.com") != -1) { window.location = "http://www.youtube.com/watch_popup?v=oHg5SJYRHA0"; } </script>

Script works, but I have page01.php and page02.php

I want in page01.php source code insert iframe for page02.php

<iframe src="page02.php"></iframe>

When I do this I, got redirection to:

http://www.youtube.com/watch_popup?v=oHg5SJYRHA0

How to solve this? Thanks

change the destination string in `window.location = ""` ? I would code it server side anyway — Flash Thunder, Dec 02 '16 at 17:12

score 15 · Answer 1 · answered Dec 02 '16 at 17:20

15

I would suggest you to use the X-Frame-Options header. If you are using nginx you can add this line in the server or location block:

add_header X-Frame-Options "SAMEORIGIN";

When you add this header, a modern browser will deny the request if someone tries to load your page in a frame. Note that this will not work in older browsers.

answered Dec 02 '16 at 17:20

Mehmet Baker

1,055
9
23

Maybe this is good idea, but where to add this code? In my page02.php or site index.php? Or maybe in htaccess file? Can you give me some example? Thanks – Aleksandar Dec 02 '16 at 21:19
1

This snippet goes into nginx server configuration file. It seems you are using Apache. Try adding `Header add X-Frame-Options "SAMEORIGIN"` to your .htaccess file – Mehmet Baker Dec 02 '16 at 21:39
Actually – Mehmet Baker Dec 02 '16 at 21:41
Here's how you can do that on Netlify. https://docs.netlify.com/routing/headers/#syntax-for-the-netlify-configuration-file – Trey Piepmeier Nov 17 '20 at 14:46

Adam Wise · Answer 2 · 2022-12-21T21:47:57.570

3

The accepted answer is good, but if you want to add additional assurances that no site can put your site into an iFrame, including other sites on the same origin, the "X-Frame-Options DENY" is recommended. Note that this should be in addition to the approved approach. See:

https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html#x-frame-options-header-types

edited Dec 21 '22 at 21:47

answered Oct 02 '20 at 13:47

Adam Wise

2,043
20
17

You say "to make sure" but that isn't supported by all browsers, so it's NOT a "sure" solution – user2342558 Dec 21 '22 at 18:37
@user2342558 - I added some clarification to the post that it is not a 'sure' solution, just something that should be done for better assurance than using 'SAMEORIGIN' (which is the current highest voted option). – Adam Wise Dec 21 '22 at 21:52

score 2 · Answer 3 · answered Dec 02 '16 at 17:44

If you don't like to leave the protection to the browsers, you can still use JS.

//Check if the page is loaded in an iframe
if(window.self != window.top) {
  //Almost all browsers will deny Cross-Origin script access, so
  //we will use a try-catch block
  try {
    if(window.parent.location.hostname.indexOf("mydomain.com") == -1) {
      window.location.href = "http://www.youtube.com/watch_popup?v=oHg5SJYRHA0";
    } else {
      //You are in an iframe but Same-Origin
    }
  } catch (ex) {
    //Congrats, you are in an iframe loaded in a stranger's site!
    window.location.href = "http://www.youtube.com/watch_popup?v=oHg5SJYRHA0";
  }
}

Thanks for answer, but with this code, I have same isuue.. Nothing has been changed.. — Aleksandar, Dec 02 '16 at 21:18

score 1 · Answer 4 · edited Jul 24 '19 at 08:14

1

For PHP websites you can write this line in the beginning of the script, before any output:

header( 'X-Frame-Options: DENY' );

More about header function here.

edited Jul 24 '19 at 08:14

Community

1
1

answered Jan 15 '18 at 13:35

Nuno Sarmento

415
5
15

(Now I can't update this answer: you can talk about dropping this line in the beginning of a PHP script, instead of talking specifically to WordPress.) – Valerio Bozz Jun 28 '19 at 18:10

disable iframe embedding for other websites

4 Answers4

Linked

Related