How to make the iframe block requests from certain domains?

Question

Is there an attribute for iframes that will make it block requests to certain domains? Something like the following:

<iframe src="www.example.com" block-domains="google.com"></iframe>

So if block-domains is that magical attribute I'm looking for, it's telling the iframe to block all requests to google.com.

Answer 1

I believe the closest you can get to this is by setting X-Frame-options in the HEADER declaration. The documentation here states that you can provide any one of the 2 following options (the 3rd being obsolete):

• DENY : the iframe will not be displayed, regardless of the page trying to embedd it
• SAMEORIGIN : the iframe will only be displayed if called by a site having the same origin as the page itself (by checking the frame ancestors)

Another work around might be to use frame-ancestors as part of content security policy header, that will allow you to specify sites on which the iframe can be embedded.