Prevent iframe stealing

Question

I think someone is stealing my content using an iframe. My website is a forum and a user has just reported them to me.

How can I find their website programmatically (php,JavaScript,jQuery,HTML) if their are others doing this?

Is this allowed on the internet for them to do this and can I take action?

Hussein · Accepted Answer · 2011-04-02T09:34:26.573

With JavaScript you can do

if(window.top==window){
 //not inside iframe
} else {
    if(parent.parent.someFunction){
       parent.parent.someFunction();
    } else {
       alert("framing is not allowed")
    }
}

OR

if (window.top !== window.self) window.top.location.replace(window.self.location.href);

Some modern browsers also support the X-FRAME-OPTIONS header, that can have two values:

* DENY – prevents the page from being rendered if it is contained in a frame
* SAMEORIGIN – same as above, unless the page belongs to the same domain as the top-level frameset holder.

Browsers that support the header:

* IE8 and IE9
* Opera 10.50
* Safari 4
* Chrome 4.1.249.1042
* Firefox with NoScript

score 4 · Answer 2 · answered Apr 02 '11 at 08:32

4

If you can find out who it is you can tell them they can't use your content in that way. If you own website you can dictate how it can be used.

Have a look at framkillers : http://en.wikipedia.org/wiki/Framekiller

This is a technique to stop sites from being shown in iframes. Keep in mind that even framekillers can be killed.

answered Apr 02 '11 at 08:32

JohnP

49,507
13
108
140

So basically, if they are committed I cannot stop them programmatically. Thanks. Is it true that I dictate how my website is used because I allow it to be used by the public, so can I still go after the stealers? – David19801 Apr 02 '11 at 08:54
Definitely. It's your own property so you can dictate the terms. The problem is enforcing. Depending on what country is involved it can be a bit difficult. But you can always send a notice to their ISP directly. Can't think of anything off the top of my head to get a list via code. I'm on ky phone so can't search right now :) – JohnP Apr 02 '11 at 09:37
Also you might want to look at jackjoe's solution as well. Will work depending on your setup. And like pst mentions, they might be nice so ask first! – JohnP Apr 02 '11 at 09:43

score 3 · Answer 3 · edited May 23 '17 at 12:06

3

Use the same method that I suggested here: How to limit display of iframe from an external site to specific domains only

In a nut shell, you add a PHP script in every page (in your case it will probably be just one, assuming it is a template), this script limits the viewing to one (or more) reffering domains.

This method is better than a javascript method because the users might have it disabled.

edited May 23 '17 at 12:06

Community

1
1

answered Apr 02 '11 at 08:47

jackJoe

11,078
8
49
64

1

This method has one big disadvantage - some firwalls block browsers from sending Referer header. In that case the users won't be able to access the page. – Rafael Apr 02 '11 at 09:57
that's a good remark, in that case I would place a message for all the "prohibited" domains, even those false positives, with the contacts of the site so the users could contact and request adding them as a safe domain. The OP can check which ones are stealing via the server logs and exclude those ones, even if they request it via the contacts. I still prefer this method over javascript methods. – jackJoe Apr 02 '11 at 11:26
Everyone have JavaScript enabled. You've got to be living in the ancient world if you don't have javascript enabled. Almost every site on the web uses javaScript in one way or the other. Disabling JavaScript means disconnecting yourself from the web. – Pinkie Apr 02 '11 at 18:55
1

@Pinkie what a stupid commment, not everyone has javascript enabled. That's almost the same as saying everyone has a CSS3 + html5 compatible browser. – jackJoe Apr 03 '11 at 13:26

score 1 · Answer 4 · answered Apr 02 '11 at 08:34

HTTP access can be blocked to some extend by using an HTTP Referer filter. Access "by host server" can also be monitored through looking at the Referer in the HTTP logs. It's not a perfect solution, but for standard browser access will get you most of the way there. ("No Hot-Linking" setups sometimes work like this.)

For legal action, seek the advice of a lawyer :-) However, my first inclination would be to ask the other site owners to stop. They may just be nice.

score 0 · Answer 5 · answered Jul 28 '14 at 09:45

0

you can use this js code in top of your website (header page)

if (window.top !== window.self) window.top.location.replace(window.self.location.href);

answered Jul 28 '14 at 09:45

Satish Sharma

9,547
6
29
51

score 0 · Answer 6 · answered Oct 29 '19 at 16:29

You can prevent other websites from framing your data using a Content Security Policy header e.g. frame-ancestors 'none'; will block every website from embedding your content in an iframe on their site https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

Prevent iframe stealing

6 Answers6

Linked

Related