#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2017
    Posts
    12
    Rep Power
    0

    Limit iframes to specific domains


    Hi,
    I need your higher level view on how doable and secure is this plan. We need to find a way to sell our research to specialised webistes, which will make it available to their clients via embedded iframes located in protected membership sections. Our website is fully static and can be easily embedded- no server calls and feeds are necessary – just plain loading of html.
    Now – we want to offer a simple – very fast – plug and play type of content embedding into their websites. The content will be accessible via the iframes. They can theoretically place any part of our website into iframe to show it to clients where they need that. We will specify it on our server which domains can access our content via iframe using following code:
    Code:
    Header set X-Frame-Options: “ALLOW_FROM https://specificdomain.com”
    Header set Content-Security-Policy: “frame-ancestors https://specificdomain.com”
    We will also prevent each of the shared pages from being accessed directly (by putting url into search bar) – by redirecting page to homepage when accessed NOT through iframe:
    Code:
      <script language="Javascript"><!-- 
    if (top.location == self.location) { 
      top.location = "index.html" // must be viewed in main index }
    //--></script>
    I wonder if the above solution is workable?
  2. #2
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2019
    Posts
    2
    Rep Power
    0
    Yes, i think it is a good aproach.

    However, if you are dealing with a large domain whitelist, you may get the Referer header via server-side, check if it is in the whitelist, and then send it back on those headers (X-Frame-Options and CSP frame-ancestors). Thus, you don't need to include all your client domains on each request.

IMN logo majestic logo threadwatch logo seochat tools logo