I have a rotator link and I dont want to allow people to open it in iframe.
How to stop php process in iframe?
header("X-FRAME-OPTIONS: DENY");
does not work in firefox and chrome. my link is (EDITED)
Check the Access-control-allow-origin header.
It allows you to control which domain can access or frame your scripts.
You can choose between 3 values :
Only from the same domain
Only from a domain listed on a list you made
From anyone (wildcard)
Since PHP is never in an iframe but executed on the server side there is no way to reliably know if the request originated from an iframe on your site of not.
If your intention (which is not quite clear) is to make sure people don't put an iframe of your site on another site, then you can check for the referrer of the request etc. But most of it can be spoofed.
Update due to comment:
Then there is unfortunately no good standardized way of getting this type of information reliably. If you yourself had an iframe on your site and for some reason didn't want that to be able to call your script you could probably do this by adding some GET parameters via javascript or something. But since you have pretty good control over your own iframes this shouldn't be a problem.
But when it comes to determining of the request from the browser to your server originated in an iframe or not there is no information in the HTTP header to disclose this. The only thing you could possibly be informed about is if that iframe is from a page hosted on another domain.
But if you have an iframe on your own site, don't add any extra parameters to the request and access your script in it and then normally from the browser's main window the two requests will look the same on the server.
I'm not completely sure if I understand your question, but here's a list of things:
If you want to stop your page being loaded in an iframe, there's not easy way of doing that, if the browser is ignoring X-Frame-Options: DENY.
If you have a link the user can click that opens in the iframe, not the parent frame, you can use the base html tag, to specify to the browser to open any links you click in the parent frame, with <base target="_parent" />
If you want to redirect automatically, and that causes an issue when loaded in an iframe because you use headers to do it or something, you could probably use the base tag and some javascript to automate clicking on the link as an alternative
Related
This is a follow up to This Question about controlling on what site(s) a page can be iframed.
I would like to use the accepted answer, but when a link inside the iframe is clicked, the referrer is then reported as the domain that hosts the framed content. Is there a server side way of prevening the site from displaying if it is not inside a frame? (apache, php5)
Here's what I'm trying to acheive:
My server generates some content. We want to share that content with specific other websites. We do not want this content to display by itself. If at all possible, I don't want to rely on client side script because it can be turned off. (setting the body tag or the main wrapper div to display: none doesn't really help, as the content is still there, in the source.)
It is impossible for PHP to know if the request come from inside a iframe, because it will have the exactly same form it would have if made at the top level window.
Why can't you use includes? In this case, there's a simple solution:
if (strcmp(basename($_SERVER['SCRIPT_NAME']), basename(__FILE__)) === 0){
header("location: index.php");
}
Edit:
What I'm saying is that with iframes you can't control the access from the server side.
Lets imagine you have your main page index.php and the page that is iframed, like foo.php.
When you do <iframe src="foo.php"></iframe> a new HTTP request is made to the server, and it is almost the same than the request made for index.php.
With includes, you'd only have one request. One of the parameters of the request parsed by PHP server is the script name. When you do: GET /index.php HTT/1.1, the script name will be index.php.
Putting the code I showe you IN THE INCLUDED FILES will prevent them to be accessed directly, you can just reference them by an include.
I don't think that the server (or server-side code) can possibly know whether the page is displayed inside of an iframe. The server serves page requests and has no knowledge of the presentation.
I think that the closest you can come on a server-side solution (in PHP) is to check the $SERVER['HTTP_REFERER']
If you absolutely must restrict access to the script to a frame, you will need something on the client that can examine the presentation. A couple of solutions for doing this in javascript are here and here
I faced the same problem solved with this:
$ref = $_SERVER['HTTP_REFERER'];
if($ref == '') {
exit;
}
An iframe's referer is the parent window's url so if the page to be iframed does not have an referer does not load so you get want
I realized that many of web app use # in their app's URL.
For example, Google Analytics.
This address is in the URL bar when I am viewing the visitor's language page:
https://www.google.com/analytics/web/?hl=en#report/visitors-language/a33185827w60383872p61754588/
This address is in the address bar when I am viewing the visitors' geolocation page:
https://www.google.com/analytics/web/?hl=en#report/visitors-geo/a33185827w60383872p61754588/
I think that this is the Google Analytics web app passing #report/visitors-language and #report/vistiors-geo.
I know that Google analytics is using an <iframe>. It seems that only the main content box is changing when displaying content.
Is # used because of the <iframe> functionality?
There are several answers but none cover the backend part.
Here is a URL, one from your own example:
www.google.com/analytics/web/?hl=en#report/visitors-language/a33185827w60383872p61754588/
You can think about the post-hash (including the hash #) part as a client-side request.
The web server will never know what was entered after the hash sign. It is the browser pointing to a specific ID on the page.
For basic web pages, if you have this HTML: <a name="main">welcome</a>
on a web page at www.example.com/welcome, going to www.example.com/welcome#main will scroll your browser viewport to the welcome text in the <a> HTML tag.
The web server will not know whether #main was in the URL or not.
Values in the URL after a question mark are called URL parameters, e.g. www.example.com/?foo=bar. The web server can deliver different content based on those values.
However, there is a technology developed by Google called AJAX (Asynchronous JavaScript and XML) that makes use of the # part in the URL to deliver different content without a page load. It's not using an <iframe>.
Using JavaScript, you can trigger a change in the URL's post-hash part and make a request to the server to get a specific part of the page, for example for the URL www.example.com/welcome#main2 Even if an element named #main2 does not exist, you can show one using JavaScript.
A hashbang is #!. It is used to make search engine indexing easier by indicating that this part is a dynamic web page.
This is the "hash" in the url.
Many browsers support hash change event in javascript.
as per my knowledge the hash change is the revolution in the ajax callbacks.
as such when the user interacts with the any link with a hash then on the hash change the event is fired and you can apply any thing with the javascript.
one more thing is that hash change is supported by the browser history.
see below URL
SEO and the use of !# in a url
or Read it
'#! is called a "hashbang" and they are the root of all that is evil in web development.'
Basically, weak web developers decided to use #anchor names as a kludgy hack to get "web 2.0" things to work on their page, then complained to google that their page rank suffered. Google made a work around to their kludge by enabling the hashbang.
Weak web developers took this work around as gospel. Don't use it. It is a crutch.
Web development that depends on hashbangs is web-development done wrong.
This article is far more well worded than I could ever be, and deals with the Gawker media fiasco from their migration to a (failed) hashbang centric website. It tells you WHAT is happening and why it's bad.
http://isolani.co.uk/blog/javascript/BreakingTheWebWithHashBangs
Correct me if I'm wrong, the hashtag in that URL would be used as an anchor to scroll the page to an element with an id. For example, I send you to the url http://example.com/sample#example, and the page would scroll (just display) at the element (I'm using a div as an arbitrary example, it could be anything).
Ajax and hash mark in the url mostly used for quick action.
If you have a part in your site that can be visible only by fire event (mostly click) - it would be hard to share it. With hash mark in the url you can (by javascript) make the browser think that you did the required action and it will display the relevant part.
Normally the '#' is using in url will find the particular id which is next to '#' in that particular page. By using this we can view the particular content at middle of the page also.
How I prevent acces for all php files inside a folder with htacces but when I want acces through iframe works fine?
I don't want that the users accessing through url because it would be a security bug..
Any answer?
Accessing a page via an iframe is the same as accessing it via a url. If you make the page inaccessible in that way then the iframe will not be able to load it either.
This just is not possible. You cannot have what you want. You can think of an iframe as a browser within a browser. An iframe makes an independent fresh GET request to your server for the content's URL, with no indication that it is being used in an iframe.
However, once the page has been delivered to the client, you can have the page run some javascript to check if it is an iframe and delete it's own content if it isn't.
if (top === self) {
// not in an iframe. delete all the content
document.body.innerHTML = 'Not allowed';
}
You could invert this to deliver invisible content, but have the javascript make the content visible if top != self
Now, of course, this only affects the visibility of the content to the user. It is still being delivered and a power-user can still interact with it. This is only a bit of visual trickery - there is zero security.
I'm creating a website where users enter a URL and it's displayed in an iFrame, to be brief. I know a lot of websites have code to break out of iFrames (popular example, Google).
Is there any way to check, with JavaScript or PHP whether a given URL will break out of an iFrame?
As a side-note, I don't mind taking a website snapshot but I haven't found an existing adequate website and I can't seem to install wkhtmltoimage/pdf...but that's a different question.
So long as the iframe's URL is different to that of the parent (your website) the iframe's JavaScript cannot access anything in its parent.
For cross-domain iframe communication to work one might use HTML5's PostMessage (which has decent support as of right now) or passing params via the URL of the iframe.
Both of these methods require the parent (your website) to explicitly intercept the 'calls' from the iframe and do whatever...
All in all, for security reasons an iframe from an unknown source can't simply alter the parent site holding the iframe.
AM a newbie in php, i have seen some web applications that have only index.php showing on the browsers address path, when you put the mouse pointer, you would see that the links show with together with the variables required for the next page. However when you click on the link, the address bar would still show index.php. If one enters the variables directly on the address bar, then it takes you back to the home page.
How is this done?
A common way to do this is using AJAX or JQuery, allowing you to place content from other pages within an element of your mainpage, not causing a browser page refresh, while still having the same page in the url.
Using firebug extension of firefox, on the network tab, you can inspect what is send and how to the server.
This can be done with some success by checking the HTTP Referer header.
Here is a link of how to do it
Beautiful way to remove GET-variables with PHP also checke using htaccess