How to prevent my site page to be loaded via 3rd party site frame of iFrame
PhpPythonIframeHttp HeadersFramePhp Problem Overview
How can I find out that my page is embedded as a frame to other site during page loading? I guess referrer request header can't help me here? Thanks.
Php Solutions
Solution 1 - Php
You cannot check it from the server's side, but you can use javascript to detect it after the page has loaded. Compare top
and self
, if they're not identical, you are in a frame.
Additionally, some modern browsers respect the X-FRAME-OPTIONS
header, that can have two values:
- DENY – prevents the page from being rendered if it is contained in a frame
- SAMEORIGIN – same as above, unless the page belongs to the same domain as the top-level frameset holder.
Users include Google's Picasa, that cannot be embedded in a frame.
Browsers that support the header, with the minimum version:
- IE8 and IE9
- Opera 10.50
- Safari 4
- Chrome 4.1.249.1042
- Firefox 3.6.9 (older versions with NoScript)
Solution 2 - Php
Stackoverflow includes some JS to test it (master.js
). This is the relevant part of it:
if(top!=self){
top.location.replace(document.location);
alert("For security reasons, framing is not allowed; click OK to remove the frames.")
}
But keep in mind that JS can be disabled.
Solution 3 - Php
For [modern browsers][1], you can use CSP (Content Security Policy), which is a standard. The following header will prevent the document from loading in a frame anywhere:
Content-Security-Policy: frame-ancestors 'none'
(IE 11 needs the X-
prefix, though). You can also change 'none'
to the origin on which framing is allowed, such as your own site.
To cover the older browsers, this is best used together with [@Maerlyn's answer][2].
[1]: http://caniuse.com/contentsecuritypolicy "CSP browser support" [2]: https://stackoverflow.com/a/2896705/1079573
Solution 4 - Php
you can prevent loading you page in an iframe with javascript
<script type="text/javascript">
if ( window.self !== window.top ) {
window.top.location.href=window.location.href;
}
</script>
this code change address of container of your page's iframe to your page address and force container to show your page.
Solution 5 - Php
Or you can block a specific domain if you don't mind your content in some locations but don't want it on a certain site. For example, if offendingdomain.com
was embedding your content, you could do this:
<script type="text/javascript">
if(document.referrer.indexOf("offendingdomain.com") != -1) {
window.location = "http://www.youtube.com/watch_popup?v=oHg5SJYRHA0";
}
</script>
This would check the parent document's location and see if it's the offendingdomain.com
that is embedding your content. This script will then send that iframe to a certain famous youtube video as punishment. In effect they just Rick-Rolled themselves.
Solution 6 - Php
Use javascript to check if it was loaded on iframe by placing the following script at the end of your php file and redirect to a page that displays warning or notice that your page should not be loaded using iframe.
<script type="text/javascript">
if(top.location != window.location) {
window.location = '/error_iframe.php';
}
</script>
Solution 7 - Php
<?php
header("Content-Security-Policy: frame-ancestors 'none'");
?>
Solution 8 - Php
Replace hosname to domain name
if (window.top.location.host != "hostname") {
document.body.innerHTML = "Access Denied";
}
Solution 9 - Php
I using this PHP code on top of the header
if($_SERVER['SERVER_NAME'] != 'yourwebsite.com'){
header('location: yourwebsite.com');
}
if someone did iframe your site it will redirect to your website