How I prevent acces for all php files inside a folder with htacces but when I want acces through iframe works fine?
I don't want that the users accessing through url because it would be a security bug..
Any answer?
Accessing a page via an iframe is the same as accessing it via a url. If you make the page inaccessible in that way then the iframe will not be able to load it either.
This just is not possible. You cannot have what you want. You can think of an iframe as a browser within a browser. An iframe makes an independent fresh GET request to your server for the content's URL, with no indication that it is being used in an iframe.
However, once the page has been delivered to the client, you can have the page run some javascript to check if it is an iframe and delete it's own content if it isn't.
if (top === self) {
// not in an iframe. delete all the content
document.body.innerHTML = 'Not allowed';
}
You could invert this to deliver invisible content, but have the javascript make the content visible if top != self
Now, of course, this only affects the visibility of the content to the user. It is still being delivered and a power-user can still interact with it. This is only a bit of visual trickery - there is zero security.
Related
This is a follow up to This Question about controlling on what site(s) a page can be iframed.
I would like to use the accepted answer, but when a link inside the iframe is clicked, the referrer is then reported as the domain that hosts the framed content. Is there a server side way of prevening the site from displaying if it is not inside a frame? (apache, php5)
Here's what I'm trying to acheive:
My server generates some content. We want to share that content with specific other websites. We do not want this content to display by itself. If at all possible, I don't want to rely on client side script because it can be turned off. (setting the body tag or the main wrapper div to display: none doesn't really help, as the content is still there, in the source.)
It is impossible for PHP to know if the request come from inside a iframe, because it will have the exactly same form it would have if made at the top level window.
Why can't you use includes? In this case, there's a simple solution:
if (strcmp(basename($_SERVER['SCRIPT_NAME']), basename(__FILE__)) === 0){
header("location: index.php");
}
Edit:
What I'm saying is that with iframes you can't control the access from the server side.
Lets imagine you have your main page index.php and the page that is iframed, like foo.php.
When you do <iframe src="foo.php"></iframe> a new HTTP request is made to the server, and it is almost the same than the request made for index.php.
With includes, you'd only have one request. One of the parameters of the request parsed by PHP server is the script name. When you do: GET /index.php HTT/1.1, the script name will be index.php.
Putting the code I showe you IN THE INCLUDED FILES will prevent them to be accessed directly, you can just reference them by an include.
I don't think that the server (or server-side code) can possibly know whether the page is displayed inside of an iframe. The server serves page requests and has no knowledge of the presentation.
I think that the closest you can come on a server-side solution (in PHP) is to check the $SERVER['HTTP_REFERER']
If you absolutely must restrict access to the script to a frame, you will need something on the client that can examine the presentation. A couple of solutions for doing this in javascript are here and here
I faced the same problem solved with this:
$ref = $_SERVER['HTTP_REFERER'];
if($ref == '') {
exit;
}
An iframe's referer is the parent window's url so if the page to be iframed does not have an referer does not load so you get want
I have a rotator link and I dont want to allow people to open it in iframe.
How to stop php process in iframe?
header("X-FRAME-OPTIONS: DENY");
does not work in firefox and chrome. my link is (EDITED)
Check the Access-control-allow-origin header.
It allows you to control which domain can access or frame your scripts.
You can choose between 3 values :
Only from the same domain
Only from a domain listed on a list you made
From anyone (wildcard)
Since PHP is never in an iframe but executed on the server side there is no way to reliably know if the request originated from an iframe on your site of not.
If your intention (which is not quite clear) is to make sure people don't put an iframe of your site on another site, then you can check for the referrer of the request etc. But most of it can be spoofed.
Update due to comment:
Then there is unfortunately no good standardized way of getting this type of information reliably. If you yourself had an iframe on your site and for some reason didn't want that to be able to call your script you could probably do this by adding some GET parameters via javascript or something. But since you have pretty good control over your own iframes this shouldn't be a problem.
But when it comes to determining of the request from the browser to your server originated in an iframe or not there is no information in the HTTP header to disclose this. The only thing you could possibly be informed about is if that iframe is from a page hosted on another domain.
But if you have an iframe on your own site, don't add any extra parameters to the request and access your script in it and then normally from the browser's main window the two requests will look the same on the server.
I'm not completely sure if I understand your question, but here's a list of things:
If you want to stop your page being loaded in an iframe, there's not easy way of doing that, if the browser is ignoring X-Frame-Options: DENY.
If you have a link the user can click that opens in the iframe, not the parent frame, you can use the base html tag, to specify to the browser to open any links you click in the parent frame, with <base target="_parent" />
If you want to redirect automatically, and that causes an issue when loaded in an iframe because you use headers to do it or something, you could probably use the base tag and some javascript to automate clicking on the link as an alternative
AM a newbie in php, i have seen some web applications that have only index.php showing on the browsers address path, when you put the mouse pointer, you would see that the links show with together with the variables required for the next page. However when you click on the link, the address bar would still show index.php. If one enters the variables directly on the address bar, then it takes you back to the home page.
How is this done?
A common way to do this is using AJAX or JQuery, allowing you to place content from other pages within an element of your mainpage, not causing a browser page refresh, while still having the same page in the url.
Using firebug extension of firefox, on the network tab, you can inspect what is send and how to the server.
This can be done with some success by checking the HTTP Referer header.
Here is a link of how to do it
Beautiful way to remove GET-variables with PHP also checke using htaccess
I am building an AJAX deep-linked site.
I want PHP to load all the HTML code of the page if the user is trying to access the site with a Javascript non-supported browser or if it is a search crawler. Basically PHP will return the whole page.
On the contrary, when the user is trying to access the site with Javascript supported browser, I want PHP to return only the template code, and let Javascript (AJAX) take care of the rest. Basically PHP will only load design elements and let Javascript populate them with content.
I looked into PHP's get_browser() function, however it seems it is not such a reliable tool. What is the industry's practice see if the browser supports Javascript or it is a search crawler using PHP?
Background:
Why I want the site to have this behavior.
Since I want the home page to load just by loading the address: example.com, which does not send any query to PHP, PHP returns the HTML code of the home page. This however causes issues when the user tries to load the following page: example.com#foo. So, for this example, PHP will return the home page and once the home page is loaded, Javascript (AJAX) will change the content around so that it shows proper content for #foo. This will make the user to see the home page, therefore load time will be slower and user-experience will not be so nice. However if my PHP script can figure out that if the use with Javascript supported browser is trying to load the page, it will only return the template of the web site, which has no content) and the javascript will populate that template with content whatever is supposed to be displayed for #foo. On the other hand, if the Javascript non-separated browser or a crawler will try to access the page example.com#foo, home page will be returned.
I am using SWFaddress (http://www.asual.com/swfaddress/) library for the deep-linking.
Edit
Thank you guys. I did not think of using <noscript></noscript> before.
Here is what I decided to do. PHP by default will load pages such as example.com or example.com#foo (which is essentially the same as example.com from PHP's point of view since fragments by definition are not sent to the server) blank (just visual template) with <noscript> tag inside for the content of the home page. This way users with javascript will not see the home page and AJAX will populate the content of the page according to the #foo fragment. On the other hand, search crawlers and users without javascript will see a home page.
Thank you again. I think this is pretty simple and elegant solution. If you have any further suggestions, please post a comment or another answer.
You can't do this using PHP. What you can do though is use a noscript tag to redirect to another php page if they don't have javascript:
<noscript>
<meta http-equiv="refresh" content="0; URL=nojavascript.php">
</noscript>
It's not possible to accomplish this in the way you're trying to do it.
It's rare that someone has JS turned off and doesn't know it.
PHP doesn't get passed anything after #, only javascript can do anything with that. So even if PHP could determine if the browser has javascript turned on then it still couldn't read # anyways.
You could include a link inside some <NOSCRIPT> tags that point the user to something like example.com#foo?javascript=disabled.
Unfortunately, browsers do not report whether JS is enabled or not, so there's no way to know from a simple HTTP GET whether or not you should send JS reliant pages.
You should just build an AJAX query that sets a session variable for javascript enabled.
Run this AJAX query before any other information on the site is loaded and then do a simple redirect to the actual site.
You could do something like this pseudo code:
Index.php:
ajax(check_js.php);
redirect(main_page.php);
check_js.php
$_SESSION['js_enable'] = true;
main_page.php
if($_SESSION['js_enable'] == true) {
//execute page
} else {
header("Location: no_js_error.php");
}
Instead of the server trying to sniff our the user's settings, how about using unobtrusive javascript in the first place? This way, the page will degrade gracefully (to the desired state) if JS is not available.
I am creating a widget that would load in a IFrame and users will be able to place the widget on their own website. How would I get the URL of the website that is using the IFrame in javascript and/or PHP? The IFrame loads a php file.
I have tried "parent.top.location.href" and "parent.document.referrer" in the IFrame page but that is undefined.
I have also tried to echo "$_Server[referrer]" in the IFrame page and that did return the IFrame parent URL, but how easy is it for someone to manipulate the referrer variable? I dont want to get misleading information.
I have also tried to echo "$_Server[referrer]" in the IFrame page and that did return the IFrame parent URL, but how easy is it for someone to manipulate the referrer variable? I dont want to get misleading information.
If this is a concern, give up. The referrer can always be trivially modified. It should never, ever be relied upon for anything important.