how to block website from loading in iframe?
For modern browser, need to enable X-Frame-Options in Header,
The x-frame-options header can be implement through web server configuration settings.
You can view the X-Frame-Options in Header as like below image,
Reference: https://www.keycdn.com/blog/x-frame-options/
If your browser does not support it, then you will have NO clickjacking defense in place and can use HTTP Header Field X-Frame-Options,
<meta http-equiv="X-Frame-Options" content="deny">
There are three possible values for X-Frame-Options:
DENY -
The page cannot be displayed in a frame, regardless of the site attempting to do so.
SAMEORIGIN -
The page can only be displayed in a frame on the same origin as the page itself.
ALLOW-FROM uri -
The page can only be displayed in a frame on the specified origin.
How to block my website from loading in other sites iframes
My solution is to put in head
or body
tag
<script type="text/javascript">
function PreventFrame() {
try {
if (window.top !== window.self) {
document.write = "";
window.top.location = window.self.location;
setTimeout(function() {
document.body.innerHTML = '';
}, 0);
window.self.onload = function() {
document.body.innerHTML = '';
};
}
} catch (err) {}
}
PreventFrame();
</script>
How to prevent a web-page from knowing that it is loaded inside an iframe?
There is no way to get this information. The reason that websites should always be able to know they're in an iframe is for security reasons.
It allows for things like frame-busting, where a website stops itself from being displayed or redirects to the site itself.
If a website were to be shown in an iframe without knowledge of this, I could overlay a separate form element and use this in phishing attacks.
That would be a serious security issue.
How to prevent my site page to be loaded via 3rd party site frame of iFrame
You cannot check it from the server's side, but you can use javascript to detect it after the page has loaded. Compare top
and self
, if they're not identical, you are in a frame.
Additionally, some modern browsers respect the X-FRAME-OPTIONS
header, that can have two values:
- DENY – prevents the page from being rendered if it is contained in a frame
- SAMEORIGIN – same as above, unless the page belongs to the same domain as the top-level frameset holder.
Users include Google's Picasa, that cannot be embedded in a frame.
Browsers that support the header, with the minimum version:
- IE8 and IE9
- Opera 10.50
- Safari 4
- Chrome 4.1.249.1042
- Firefox 3.6.9 (older versions with NoScript)
How to not let sites block your iframe?
David Chen pointed out that my previous answer was false do to cross domain access, which was very true.
A solution that is on the web at the moment is to download the websites header and assess to see if the Iframe will be blocked.
A website which performs this is
http://www.tinywebgallery.com/blog/advanced-iframe/free-iframe-checker
if you download the website headers and it contains X-Frame-Options for example
'X-Frame-Options => SAMEORIGIN'
Then this could help you determine if an Iframe will load.
docs on x-frame-Option found here - https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
How to prevent other websites putting my web page in their iframes?
Use X-Frame-Options response header, this will tell the browser wether it should show the webpage in a frame or not. E.g.
X-Frame-Options: SAMEORIGIN
How to prevent my site page from being loaded into other website iframe?
A first solution is to use X-Frame-Options
header to prevent loading your page to an iframe. X-Frame-Options
can specify one of two values: SAMEORIGIN
, which only
allows iframes from the same origin to display this content, and deny
, which prevents
any iframe from doing so. BUT this header is not part of HTTP specification and was introduced by Microsoft, so not all browsers support this header. An example of X-Frame-Options
:
X-Frame-Options: SAMEORIGIN
In case some old browsers don't support the X-Frame-Options
header. You could try a technique called FrameKiller. There are limitations, though, as pointed out in that link.
The user agent does not support JavaScript.
The user agent supports JavaScript but the user has turned support off.
The user agent's JavaScript support is flawed or partially implemented.
The idea is to use javascript to detect whether your page is loaded into an iframe. There are many ways to implement a frame killer script.
For your requirement, you could implement a frame killer script like this: try to access your parent window to read the window.location
. If they include your page inside their iframe, the code would throw exception (cross-domain)
Example code:
window.onload = function(){
try
{
if (window.parent && window.parent.location.hostname !== "www.abc.com"){
throw new Error();
}
}
catch (e){
alert("Please visit www.abc.com to play this game.");
//You could do whatever you want here
}
}
Related Topics
What Is the Purpose of the HTML "No-Js" Class
Position Fixed Not Working in Mobile Browser
Jquery/JavaScript Opacity Animation with Scroll
Creating a CSS Class in Jquery
Div Square, Width Size Based on 100% Height
How to Declare Hash.New(0) with 0 Default Value for Counting Objects in JavaScript
Why Is String Concatenation Faster Than Array Join
How to Reload Page Every 5 Seconds
How to Find If an Array Contains a Specific String in JavaScript/Jquery
Es6 Object Destructuring Default Parameters
How to Prevent an Http Request Just for a Favicon
Change Value of Input and Submit Form in JavaScript
How to Toggle Class Using Pure JavaScript in HTML
React Inline Style - Style Prop Expects a Mapping from Style Properties to Values, Not a String
Good "Background-Size: Cover" Fallbacks/Shims/Tricks for Cross-Browser Compatibility on Divs
Accessing JavaScript Variable from Ruby
JavaScript Callback When Iframe Is Finished Loading
What Exactly Is the Parameter E (Event) and Why Pass It to JavaScript Functions