How to check whether a web page can be loaded in iframe

  sonic0002        2018-07-27 22:36:02       36,778        2    

Sometimes you may want to load other website's page in your own website's iframe, but due to some security concerns, other website may have security configurations which prevent you from loading their pages into your iframe. In this case, if you try to load them, you would see a blank page or a text message telling that it's prohibited. Fortunately, you can detect this before you actually decide to load it.

To prevent a page from being loaded by an iframe from other site, the response header sent to the browser will contain some options which denies the load. These response header options include

Content-Security-Policy

Content Security Policy is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting(XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware.

Hence if one website wants to prevent other site from loading it, they can set the content security policy to only allow its own access or trusted websites access. Syntax would be:

Content-Security-Policy: policy

Policy can be some websites domain names which have access.

X-Frame-Options

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame><iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

This option can have some values like DENY, SAMEORIGIN, ALLOW-FROM xxx. From the values, it is easy to understand what they are for. DENY will disallow loading the site in an iframe inside any page(even from the same origin). SAMEORIGIN allows the page to be loaded in an iframe from the same origin. ALLOW FROM allows the page to be loaded in an iframe from specified websites.

After understanding these options, it's easy to implement the logic in your own website to detect whether other webpage can be loaded in your iframe or not. Below is a sample PHP code snippet for doing this kind of check.

function isIframeDisabled($src){
	try{
		$headers = get_headers($src, 1);
		$headers = array_change_key_case($headers, CASE_LOWER);
		// Check Content-Security-Policy
		if(isset($headers[strtolower('Content-Security-Policy')])){
			return true;
		}
		// Check X-Frame-Options
		if(isset($headers[strtolower('X-Frame-Options')] &&
		   (strtoupper($headers['X-Frame-Options']) == 'DENY' ||
		    strtoupper($headers['X-Frame-Options']) == 'SAMEORIGIN')
		){
			return true;
		}
	} catch (Exception $ex) {
		// Ignore error
	}
	return false;
}

Here the code doesn't check the case where some specified websites are allowed to access the site, it just gives you a sense on how you can do this kind of check. Other languages can follow similar methods.

SECURITY  HTML  IFRAME  HTTP  X-FRAME-OPTIONS  CONTENT-SECURITY-POLICY 

       

  RELATED


  2 COMMENTS


Gaurav [Reply]@ 2019-11-03 23:20:07

I am trying to load a wensite in iframe. I recieved the following header operation from website.

x-frmae-options and contet-security-policy , both are not present .

 

 

Array
(
    [0] => HTTP/1.1 301 Moved Permanently
    [Content-Type] => Array
        (
            [0] => text/html
            [1] => text/html
        )

    [Location] => https://www.fluidbranding.com/about-us/
    [Content-Length] => Array
        (
            [0] => 737
            [1] => 1809
        )

    [Accept-Ranges] => Array
        (
            [0] => bytes
            [1] => bytes
        )

    [Date] => Array
        (
            [0] => Mon, 04 Nov 2019 05:19:13 GMT
            [1] => Mon, 04 Nov 2019 05:19:13 GMT
        )

    [Connection] => Array
        (
            [0] => close
            [1] => close
        )

    [Pragma] => Array
        (
            [0] => no-cache
            [1] => no-cache
        )

    [Expires] => Array
        (
            [0] => -1
            [1] => -1
        )

    [Cache-Control] => Array
        (
            [0] => no-store, no-cache, must-revalidate, max-age=0
            [1] => no-store, no-cache, must-revalidate, max-age=0
        )

    [Server] => Array
        (
            [0] => MageStack-MagentoOS
            [1] => MageStack-MagentoOS
        )

    [Strict-Transport-Security] => Array
        (
            [0] => max-age=0
            [1] => max-age=0
        )

    [1] => HTTP/1.1 200 OK
    [Vary] => Accept-Encoding
)

Can you please suggest which parameter not letting iframe to load this website.

 

Ke Pi [Reply]@ 2019-11-04 07:03:15

It has x-frame-options: SAMEORIGIN in its response header.

BTW, is above comment a promotional one?

 



  RANDOM FUN

Doing KT before quitting