How to Prevent My Site Page to Be Loaded Via 3Rd Party Site Frame of Iframe

How to prevent my site page to be loaded via 3rd party site frame of iFrame

You cannot check it from the server's side, but you can use javascript to detect it after the page has loaded. Compare top and self, if they're not identical, you are in a frame.

Additionally, some modern browsers respect the X-FRAME-OPTIONS header, that can have two values:

• DENY – prevents the page from being rendered if it is contained in a frame
• SAMEORIGIN – same as above, unless the page belongs to the same domain as the top-level frameset holder.

Users include Google's Picasa, that cannot be embedded in a frame.

Browsers that support the header, with the minimum version:

• IE8 and IE9
• Opera 10.50
• Safari 4
• Chrome 4.1.249.1042
• Firefox 3.6.9 (older versions with NoScript)

How to prevent other websites putting my web page in their iframes?

Use X-Frame-Options response header, this will tell the browser wether it should show the webpage in a frame or not. E.g.

X-Frame-Options: SAMEORIGIN

Using iframes to protect the rest of a page from scripts in 3rd party proxied-in div

I suggest that you use iframe element and put the div element into it

Overcoming Display forbidden by X-Frame-Options

I had a similar issue, where I was trying to display content from our own site in an iframe (as a lightbox-style dialog with Colorbox), and where we had an server-wide "X-Frame-Options SAMEORIGIN" header on the source server preventing it from loading on our test server.

This doesn't seem to be documented anywhere, but if you can edit the pages you're trying to iframe (eg., they're your own pages), simply sending another X-Frame-Options header with any string at all disables the SAMEORIGIN or DENY commands.

eg. for PHP, putting

<?php
    header('X-Frame-Options: GOFORIT'); 
?>

at the top of your page will make browsers combine the two, which results in a header of

X-Frame-Options SAMEORIGIN, GOFORIT

...and allows you to load the page in an iframe. This seems to work when the initial SAMEORIGIN command was set at a server level, and you'd like to override it on a page-by-page case.

All the best!

3rd party app in an iFrame must keep header/top frame session alive

You could add another, hidden IFrame on the main page that is set to refresh every 10 minutes (or whatever sits within the session timeout). This would cause the session on the main page to stay alive without the user experiencing any page refreshes.

EDIT to add requested example

        var frameHTML='';
    function CheckFrame() {
        //get frame BODY
        var frameBody=$("#FFRAMEID1" + _frameNumber).contents().find("body").html();

        //Compare
        if(frameBody==frameHTML) {
            //Content has not changed.  Do not refresh main session.
        }
        else {
            //Content has changed.  Refresh main session.
        }

        //Set most recent check string
        frameHTML=frameBody;

        //Set OTHER hidden frame source to refresh main page (could be replaced by just an AJAX call)
        $('#FRAMEID2').attr("src", 'FRAMESRC');
    }

---

Related Topics