Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Restricting IFRAME access in PHP

Tags:

security

php

iframe

I am creating a small web page using PHP that will be accessed as an IFRAME from a couple of sites. I'm wanting to restrict access to this site to work ONLY within the "approved" sites, and not other sites or accessed directly. Does anyone have any suggestions? Is this even possible? The PHP site will be Apache, and the sites iframing the content will probably be .NET.

Just to clarify, any site can view the page, as long as it's iframe'd within an approved site. I want to block people from accessing it directly. I'm thinking cookies might be a solution, but I'm not sure.

like image 422
m0j0 Avatar asked Oct 23 '25 15:10

m0j0

2 Answers

Unfortunately this isn't going to be possible.

Using Javascript you can check to see if your page is embedded in another frame, but this won't be foolproof as Javascript can be turned off in some people's browsers.

For example, you can run the following javascript to reparent your page if that's the intention:

if (top.location != location) {
  top.location.href = document.location.href ;
}
like image 139
Gareth Avatar answered Oct 25 '25 03:10

Gareth

Thinking about this... I'm not convinced this is completely secure, but here's a shot while I think about it more -

The only way you could do this, is if you control the sites it would be embedded in. If you control them, you could pass the time, encrypted, from the frameset to the frame:

 <iframe src="http://yourdomain/frame.php?key=p21n9u234p8yfb8yfy234m3lunflb8hv" />

frame.php then decrypts the message to find the time within a small delta (say 10 seconds). Because frame.php knows only acceptable sites could have encrypted the time, it knows it's okay to display itself. Otherwise, it outputs nothing.

Anything else, whether it's javascript or HTTP_REFER, can be spoofed, turned off, or circumvented.

And in fact, with that url, an attacker will be able to show your frame anywhere, as long as the user loads it within 10 seconds. So the attacker would just scrape the accepted site, and grab the key. If that threat model is unacceptable to you - then there really is nothing you can do (except maybe an even more complicated protocol).

like image 31
Tom Ritter Avatar answered Oct 25 '25 04:10

Tom Ritter
Sign in to Comment

Related questions

How to indent/beautify dynamically generated HTML?
Laravel: what happens if I have separate read/write connections configured, and do both reads and writes within a transaction?
Flutter: Parsing Json with special characters (utf-8)
Method Illuminate\Support\Collection::select does not exist
Laravel: Unknown column type "timestamp" requested
Apply search on Multidimensional array in Laravel

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!