2

In the wake of this famous question: How to identify if a webpage is being loaded inside an iframe or directly into the browser window?

I have an opposite practical issue: is there any way (workable in all browsers) to prevent a web-page from knowing that it is loaded inside an iframe element?

This is useful for various preview interfaces, where some particular websites block their content if they are loaded inside an iframe.

Andremoniy
  • 34,031
  • 20
  • 135
  • 241
  • 1
    No, there is not. – CBroe Jul 13 '17 at 08:39
  • @CBroe, Obviously there is: I can cut all scripts from the loaded page – Andremoniy Jul 13 '17 at 09:02
  • 1
    Yeah, but that could only be achieved using some kind of proxy ... and the question and tags did not really indicate that you were willing to use such measures. Plus, scripts are not the only way to prevent a page from being displayed in a foreign frame; X-Frame-Options is much more widely used for that these days. (And that does not even have anything to do with the website “knowing” that it is displayed in some kind of frame, but rather the website simply telling the browser upfront that it does not want that.) – CBroe Jul 13 '17 at 09:08

1 Answers1

4

There is no way to get this information. The reason that websites should always be able to know they're in an iframe is for security reasons.

It allows for things like frame-busting, where a website stops itself from being displayed or redirects to the site itself.

If a website were to be shown in an iframe without knowledge of this, I could overlay a separate form element and use this in phishing attacks.

That would be a serious security issue.

Alexander Varwijk
  • 2,075
  • 18
  • 21