14

I operate a service where a client's content is prepared and displayed in an iframe. The client then copies a rudimentary iframe html tag and pastes it into their web page. Some clients complain that other websites are copying the iframe tag and pasting it into their sites.

Is it possible to restrict the display of an iframe's content to a specific domain or domains? Perhaps by programmatically telling the iframe that its parent must be some-domain.com or else don't display.

Does this make sense? I can sometimes be too verbose.

Marci
  • 175
  • 1
  • 1
  • 5

2 Answers2

13

you can use an .htaccess (assuming the original content is on an Apache server) to limit the access to a specific IP.

Or, if the page is a PHP, you could limit it to a specific domain, like this:

    <?php
$continue = 0;
if(isset($_SERVER['HTTP_REFERER'])) {

    //correct domain:
    $ar=parse_url($_SERVER['HTTP_REFERER']);
    if( strpos($ar['host'], 'yourdomain.com') === false ){
    } else {
        $continue = 1;
    }

}

if($continue == 0){
    header('HTTP/1.0 403 Forbidden');
    exit('Forbidden');
}

?>
jackJoe
  • 11,078
  • 8
  • 49
  • 64
  • 1
    You are making a _huge_ assumption here, that the webserver can be modified like this. – Oded Mar 07 '11 at 19:42
  • 1
    @Oded what is the assumption made? That the referer is correct? Please explain. – Marci Mar 07 '11 at 19:57
  • @Marci - he is assuming that you have access to and can change the `.htaccess` file (and that you are using Apache). – Oded Mar 07 '11 at 19:58
  • @Oded Oh, I see. Forgive me for not including those details. You are right. Without that info, it's a huge assumption. I do in fact have a dedicated server and complete access to all inner-workings. I would prefer to do it dynamically with PHP though. – Marci Mar 07 '11 at 20:03
  • @Marci - And what about _what_ webserver you are using? IIS? Apache? Something else? – Oded Mar 07 '11 at 20:05
  • @jackJoe So, you're saying that the PHP above would go into the page that is being served in the iframe? – Marci Mar 07 '11 at 20:06
  • @Marci yes, that code should go to every page of the content, so that when you view the content via the iframe it either shows (if on the right domain) or just echoes a "Forbidden" if on an unallowed domain; I suggest making an include and maybe adding extra domains to it so that you can browse it in the original domain. P.S. I've been using this code for something very simmilar to your question. – jackJoe Mar 07 '11 at 20:10
  • @jackJoe Just tested it. Works awesome. I shall create an array to use with it. Thanks! – Marci Mar 07 '11 at 20:12
  • cheers! I tested it in similar conditions and all is working fine. – jackJoe Mar 07 '11 at 20:17
  • @Oded Again, sorry. Web server soft is Apache2. Linux box. – Marci Mar 08 '11 at 01:22
  • 1
    This only works on the content page and does nothing to prevent the iFrame from loading any other domain. – WilliamK Dec 24 '14 at 21:22
1

Sounds like a check that is better made server side - you can check the iFrame markup against a list of valid domain names (or parent domain names) and reject it if they are invalid.

You could do all of the above in javascript, before injecting the iFrame into the page, but if javascript is off, your validation will not work, not to mention that with development tools on the client any javascript can be modified.

Oded
  • 489,969
  • 99
  • 883
  • 1,009
  • this needs to be done on the contents site, either by the server side scripting, server configuration or maybe a javascript, but as you said if it is off then that option won't work. – jackJoe Mar 07 '11 at 19:47