0

I'm new to iframes and their security flaws. I have website A that needs to be embedded on an iframe on a list of websites. Here is the interesting part.

  • The list of trusted websites and the iframe share the same domain.
  • Only the list of trusted websites can iframe A
  • If an untrusted website tries to iframe A, some error should be rendered.

I know some places do this with some sort of tokenization system. Does anyone know or have some good references to do this?

HoBa
  • 3,442
  • 5
  • 26
  • 33
  • 1
    what's the purpose of the iframes? for show or does it communicate? – Joseph Feb 18 '12 at 05:18
  • people can't help you without giving some kind of idea what you are doing and what you have got so far. can you at least describe the situation, what the iframes are for, why are you using them, why mention risks and so on... – Joseph Feb 18 '12 at 05:28
  • well, that's all I can provide and I see the situation very clear. An iframe accesible only to a list of websites which shared the same domain (including the iframe'd website). – HoBa Feb 18 '12 at 05:34

1 Answers1

1

well, you can't prevent people from framing your website because you don't control their code.

however, you could:

  • use a framebuster to bust your site to top level (exit from iframe and into main window).

  • check the parent window's url (the url of the site framing your site). it works only if same domain, meaning if another domain is iframing you, you can't get the parent url ("aha! someone's framing your site!"). if you CAN get the url, the top site is from your domain. the only thing you need to do after that is to check if that site is part of your trusted sites in your domain.

Community
  • 1
  • 1
Joseph
  • 117,725
  • 30
  • 181
  • 234