I want to host a webpage that can only be served via iframes within my own domain.
An example of this in the wild would be Codepen. They sandbox the content of a "pen" in an iframe, but if you try to load the url from a browser it responds with an empty page.
I understand there might be multiple answers to this question but I'm hoping someone could point me in the right direction.
Would I be checking the referrer server side? Are there any other options?
Referer is a good start for the server side.
Also you can try using CORS headers:
Only allow iframe to load content
Or validating using client side javascript code:
How to identify if a webpage is being loaded inside an iframe or directly into the browser window?
Also check info about referrerpolicy
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-referrerpolicy
Related
I have an application that embedding the content from another server via iframe. how to prevent the iframe content accessed directly over browser?
this is my page that embedding with iframe :
http://10.1.1.1/pustaka/random/parameter
and this is my iframe content server :
http://10.1.1.2/flipbook/folder/related/to/random/parameter
How to use .htaccess to allow page access in my iframe but not directly?
Try searching around for answers =] I believe this one will help you out, though.
I have joomla site and i set ssl on it. In some pages i have wrapper that load some form from another server.
When i used http it worked normal but after https it load too long and at the end show times out.
If i don not write any protocol in url and set
Add protocol - Yes
that time page loading normal but form blocks by browser.
link to page
What need to do load wrapper normal or how to exclude page from ssl
You are calling http content inside your web. This is the console output:
Mixed Content: The page at 'https://carzilla.az/ru/voditelyu/proverka-shtrafov' was loaded over HTTPS, but requested an insecure resource 'http://85.132.44.29/nex'. This request has been blocked; the content must be served over HTTPS.
Try changing http://85.132.44.29/nex to https://85.132.44.29/nex
Is maybe that your problem? This resource is blocked.
EDIT
Anyway, when calling the https URL, has no service.. then I think you will not be able to open that URL in a HTTPS situation.
This is not a programming question, it is a site administration question.
WHen you make the wrapper menu link, simply go to the metadata tab and tell it to make the link "not secure."
We've partnered with a company whose website will display our content in an IFRAME. I understand what the header is and what it does and why, what I need help with is tracking down where it's coming from!
Windows Server 2003/IIS6
Container page: https://testDomain.com/test.asp
IFRAME Content: https://ourDomain.com/index.asp?lots_of_parameters,_wheeeee
Testing in Firefox 24 with Firebug installed. (IE and Chrome do the same thing.) Also running Fiddler so I can watch network traffic while I'm at it.
For simplicity's sake, I created a page with nothing on it but the IFRAME in question - same physical server, different domain/site - and it failed with
Load denied by X-Frame-Options: https://www.google.com/ does not permit cross-origin framing.
(That's in the Firebug console.) I'm confused because:
Google is not referenced anywhere in the containing app, or in the IFRAMEd app. All javascript libraries are kept locally; there is no analytics in the app. No Google, nowhere.
The containing page has NOTHING on it, except the IFRAME. No html tags, no head tag, no body tag. IFRAME. That's it.
The X-FRAME-OPTIONS header does not exist in IIS on the server: not at the "Websites" node, not in the individual sites.
So where the h-e-double-sticks is that coming from? What am I missing?
Interesting point: if I remove http"S" from the IFRAME url, it works. Given the nature of the data, SSL is required.
You might check global.asax.cs, the app could be adding the header to every response automatically. If you just search the app for "x-frame-options" you might find something also.
Since 1st Oct is coming. I am working on Secure Canvas URL stuff.
My canvas url is like canvas.example.com. I can make this domain and server SSL ready without a problem.
My question is, should every http request made by canvas.example.com also change to https?
e.g. I import some JS, CSS, images from cdn.example.com to my canvas page, should i configure cdn.example.com alos can be accessed via https, or I can just leave this domain alone, still use http to get those content?
thank you very much.
You should make all content served over https or the browser will show warnings.
Facebook policies clearly mention that all the Page Tabs and iFrame Applications shal have an SSL certificate..
Any external content like images and JS included on your site shall also come from secured hostings hence the Https:// else your shall not be complying to FB Policies..
Gives the fact that FB has been very strict on punishing defaulters i dont think any app developer can take risk ..
I've inherited an ASP.NET web site that has an SSL certificate bought via GoDaddy.
The problem is that the certificate seems to be invalid because of some "mixed content/resources" (I think that's how its called) coming from http sites.
Chrome is showing the red cross over the lock next to https, meaning it's unsecured. The popups says the following:
Click in "What do these mean?" goes here which says:
The [crossed-lock] icon appears when
Google Chrome detects high-risk mixed
content, such as JavaScript, on the
page or when the site presents an
invalid certificate.
The certificate is correct and valid because I tried creating a blank "Hi world" .aspx page and it's showing the green lock with no problems.
Reading a little bit, I found that I should only include images and javascript coming from https sites. The only thing it had coming from http was the addthis widget, but they support https, so I changed to https, but it's still saying that is unsecured.
I've searched for anything else coming from http in the source, but didn't find anything.
Is there some way (site, chrome extension, firefox extension, whatever) that will show exactly which are the resources that are "unsecured"?
I've never dealt with SSL/HTTPS certificates, but I need to fix this issue asap.
Check your site in http://www.whynopadlock.com, which will give you a list of url which is not consider as secure by your browser.
Check the chrome console
You will get it like this,
The page at https://xys displayed insecure content from http://asdasda.png.
Make it http site to https then it will work.
I've found the problem using the Chrome Developer Tools. It was a js that's embedding a flash from an 3rd party site which it's using http.
Are you on Windows? Download and run Fiddler while browsing the site, and watch for HTTP connections.
Mixed content means contents of a web page are mixed with HTTP and HTTPS links.
These links include your JS, CSS, Image, Video, Audio, Iframes etc.
If your website is enabled for HTTPS (SSL certificate has installed), make sure you serve only HTTPS contents throughout your web page.