Someone iframing my website, using
<iframe src="http://example.org" sandbox=""></iframe>
This way, the sandbox attribute prevents my site to use iframe blocker on it. And it can be easily iframed.
Frame buster on my website:
if (window.top !== window.self) window.top.location.replace(window.self.location.href);
Is there a programmatic way to redirect to my site when its being iframed when used with sandbox attribute ?
Iframing can be protected through the X-Frame-Options response header, set either X-Frame-Options value="DENY" or X-Frame-Options value="SAMEORIGIN". Through this response header settings you can protect your website against IFraming or clickjack attack.
Once X-Frame-Options response header is set, browser receives a standard message like "This content cannot be displayed in a frame".
The sandbox attribute is turning off all javascript, amongst other things. This is why your frame buster will not be working, nor any other javascript people have provided.
W3 say of a sandbox:
scripts are disallowed/disabled within the iframe
links to other browsing contexts are disallowed/disabled within the iframe
A test shows that the attribute also disables meta redirects and any standard link which breaks out of the iframe.
With this strictness, I'd be very surprised if a redirect is possible, since that would defeat the point of the sandbox.
The best I can suggest would be to use the noscript tag to display a message to users seeing the page in a sandboxed iframe. You could style that so people can't see your content.
(If it is just one site being a problem, then blocking them with htaccess would probably be a better approach)
I think the best thing you can do is show your own message with a target="top" link. The whole concept of the sandbox attribute is to disallow redirects. There is no way to bypass that and if you ever find one browser makers will probably find a way to stop it. It's clearly their intention.
This is just how the web works. You can't do whatever you want when it comes to browsers.
#SudiptaKumarMaiti's answer of X-Frame-Options works, but is being superseded by Content Security Policy (CSP) Level 2 - specifically the frame-ancestors directive.
To disallow framing completely (similar to X-Frame-Options: DENY), use this HTTP header:
Content-Security-Policy: frame-ancestors 'none';
Related
Can I embed a Microsoft Teams video meeting into my website using an iframe or other technology?
When I tried, I got this error:
Refused to display 'https://teams.live.com/' in a frame because it set
'X-Frame-Options' to 'sameorigin'.
Can it be cheated somehow?
No you can't. The error message is telling you exactly why not: Microsoft have set a HTTP header in the Teams site which instructs the browser not to load the page into any kind of frame unless that frame is within the teams.live.com website.
The MDN documentation for X-Frame-Options says
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites
This is not something you can override - if you could, setting the header would immediately become completely pointless, since anyone with malicious intent would simply choose to ignore it.
Good day everyone.
So I have a website and I am trying to embed in an iframe a dynamics server and it keeps throwing an error something about
'Refused to display https://XXXXXXXXXXXX in a frame because it set 'X-Frame-Options' to 'deny'.
Any ideas how I can get it to work?
This happens when we try to redirect the page to a login page.
Thanks
Check X-Frame-Options hearder:
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
Based on the above statement, this is something that the 'https://XXXXXXXXXXXX' has added to the page to disallow it from being used as an <iframe>
You can see that this can even be configured globally on a web server level, to secure all the websites.
If the website is in the same domain the workaround is easier using SameOrigin value.
If you want to allow all, then just don't set the response header for the XXXXXXXX site at all (if you have access to it).
I'm trying to develop an extension similar to that of Pinterest's PinIt extension for google chrome. In general, i know that loading any URL in an iframe which is not from the same origin would result in giving an error "Refused to display 'https://www.someWebsite.com/' in a frame because it set 'X-Frame-Options' to 'DENY'."
However, i do see that Pinterest is loading a URL on any website when using their extension. For Example, i was using the extension on instagram.com (i've used it on other sites as well) and then i took a screenshot of what i could not understand. (Please refer to selected area in DOM)
Can anyone tell me how this can be achieved or probably how pinterest is doing this?
X-Frame-Options dictate which frames can embed the page, not which pages can be embedded in it.
So if, say, https://www.someWebsite.com/ disallows to be embedded, X-Frame-Options doesn't prevent embedding https://www.someOtherWebsite.com/ inside it (if the other website allows it).
However, child-src or frame-src Content Security Policy directive can prevent embedding another page.
In theory, both mechanisms can be be overridden by webRequest API. However:
PinIt doesn't use it, so logically it should fail on some sites.
http://content-security-policy.com/ is an example where it simply fails.
There may be additional countermeasures if you decide to circumvent response headers.
It's a cat and mouse game if some resource is unwilling to be embedded or allow embeds.
By changing CSP headers, you are weakening security considerably for your users.
I finally figured out how to deal with this. I still do not know how exactly pinterest is doing it but i'm sure i'm close to it.
I simply load an iframe in the body of the parent by injecting my own JS to the page.
Then i iterate through all the images available on the page like
$('img).each(function(){
// do my stuff to see if i need this image
// push them in an array (say, var imgArray)
})
var imgToString = imgArray.toString();
var myIframe = document.getElementById('iframe_id').contentWindow;
myIframe..postMessage(imgToString , '*');
And then in the iFrame that i load, i recieve the message and use the images...
So the gist of the whole issue is that postMessage() is my saviour.
I have an HTML page with an iframe included from a cross domain that doesn't belong to me.
I need to do some basic javascript modifications in the iframe (write value and fire up an event -> form processing).
Because of the same origin policy I'm not allowed to do this. However, I need to do it, so I'm searching for a workaround.
The solution is just important that I can run a script for myself. It is enough if it works in one browser and I don't need security for myself.
On my research I have found a lot of ways to break the same origin policy like document.location (in FF only with similar locations), JSONP/sendMessage (I need to be the owner of both domains) and so on, nothing that works with an iframe of a page that doesn't belong to me.
The only "workaround", if you can't make the other site include the relevant CORS headers, would be to fetch the iframe content server side and serve it as coming from your own domain.
The reason there isn't simpler workaround is due to why there is this same origin policy : to protect users.
I need to display another website in an iframe. I don't need to access anything on this website I'll be displaying. Is this in violation of the cross domain policy? If so, would a proxy bypass this?
I tried a simply iframe with its src set to http://google.com as a test, and it looks like this does violate this policy. How can I bypass this if I don't need to access anything on the displayed webpage.
No, you can access any site through an iFrame.
What is against the policy is trying to manipulate the site in any way and modern browsers won't let you manipulate it anyways.
Google does allow you to get their site through an iFrame, however, they're using code to "break out of frames", so instead of viewing their site through an iFrame, you'll just be redirected to google.com
Ah, I see now that its only the test page I used, google, that forbids this. Other sites are OK.