How to limit display of iframe from an external site to specific domains only

Question

I operate a service where a client\'s content is prepared and displayed in an iframe. The client then copies a rudimentary iframe html tag and pastes it into their web page.

Answer 1

you can use an .htaccess (assuming the original content is on an Apache server) to limit the access to a specific IP.

Or, if the page is a PHP, you could limit it to a specific domain, like this:

    <?php
$continue = 0;
if(isset($_SERVER['HTTP_REFERER'])) {

    //correct domain:
    $ar=parse_url($_SERVER['HTTP_REFERER']);
    if( strpos($ar['host'], 'yourdomain.com') === false ){
    } else {
        $continue = 1;
    }

}

if($continue == 0){
    header('HTTP/1.0 403 Forbidden');
    exit('Forbidden');
}

?>

Answer 2

Sounds like a check that is better made server side - you can check the iFrame markup against a list of valid domain names (or parent domain names) and reject it if they are invalid.

You could do all of the above in javascript, before injecting the iFrame into the page, but if javascript is off, your validation will not work, not to mention that with development tools on the client any javascript can be modified.