How to prevent my site page to be loaded via 3rd party site frame of iFrame
You cannot check it from the server's side, but you can use javascript to detect it after the page has loaded. Compare top
and self
, if they're not identical, you are in a frame.
Additionally, some modern browsers respect the X-FRAME-OPTIONS
header, that can have two values:
- DENY – prevents the page from being rendered if it is contained in a frame
- SAMEORIGIN – same as above, unless the page belongs to the same domain as the top-level frameset holder.
Users include Google's Picasa, that cannot be embedded in a frame.
Browsers that support the header, with the minimum version:
- IE8 and IE9
- Opera 10.50
- Safari 4
- Chrome 4.1.249.1042
- Firefox 3.6.9 (older versions with NoScript)
How to prevent other websites putting my web page in their iframes?
Use X-Frame-Options response header, this will tell the browser wether it should show the webpage in a frame or not. E.g.
X-Frame-Options: SAMEORIGIN
Using iframes to protect the rest of a page from scripts in 3rd party proxied-in div
I suggest that you use iframe element and put the div element into it
Overcoming Display forbidden by X-Frame-Options
I had a similar issue, where I was trying to display content from our own site in an iframe (as a lightbox-style dialog with Colorbox), and where we had an server-wide "X-Frame-Options SAMEORIGIN" header on the source server preventing it from loading on our test server.
This doesn't seem to be documented anywhere, but if you can edit the pages you're trying to iframe (eg., they're your own pages), simply sending another X-Frame-Options header with any string at all disables the SAMEORIGIN or DENY commands.
eg. for PHP, putting
<?php
header('X-Frame-Options: GOFORIT');
?>
at the top of your page will make browsers combine the two, which results in a header of
X-Frame-Options SAMEORIGIN, GOFORIT
...and allows you to load the page in an iframe. This seems to work when the initial SAMEORIGIN command was set at a server level, and you'd like to override it on a page-by-page case.
All the best!
3rd party app in an iFrame must keep header/top frame session alive
You could add another, hidden IFrame on the main page that is set to refresh every 10 minutes (or whatever sits within the session timeout). This would cause the session on the main page to stay alive without the user experiencing any page refreshes.
EDIT to add requested example
var frameHTML='';
function CheckFrame() {
//get frame BODY
var frameBody=$("#FFRAMEID1" + _frameNumber).contents().find("body").html();
//Compare
if(frameBody==frameHTML) {
//Content has not changed. Do not refresh main session.
}
else {
//Content has changed. Refresh main session.
}
//Set most recent check string
frameHTML=frameBody;
//Set OTHER hidden frame source to refresh main page (could be replaced by just an AJAX call)
$('#FRAMEID2').attr("src", 'FRAMESRC');
}
Related Topics
What's the Net::Err_Http2_Protocol_Error About
Filter Multidimensional Array Based on Partial Match of Search Value
Implementing Condition in Xpath
Making Sure PHP Substr Finishes on a Word Not a Character
How to Login in With Curl and Ssl and Cookies
PHP Sessions That Have Already Been Started
Transform Relative Path into Absolute Url Using PHP
Header and Footer in Codeigniter
Correct PHP Headers For Pdf File Download
How to Include Code into a PHP Class
Why Are My Cookies Not Setting
How to Remove an Array Element in a Foreach Loop
The Holy Grail of Cleaning Input and Output in PHP
Convert Plain Text Urls into HTML Hyperlinks in PHP
Why Is Using a MySQL Prepared Statement More Secure Than Using the Common Escape Functions
What Is the Canonical Way to Determine Commandline Vs. Http Execution of a PHP Script