问题
I've a form that I'd like to embed in a website, which is on my whitelist.
Other websites, that try to embed it, should get only an error page.
<iframe src="https://domain.tld/getForm.php?embed=1&formId=123456"></iframe>
I was hoping that I could use $_SERVER['HTTP_REFERER'] in getForm.php to check the embeding website, but it's not working.
Does anyone know a best practise or any workaround?
Thanks in advance!
回答1:
Most browsers will support the X-Frame-Options header.
This header will prevent access:
X-Frame-Options: SAMEORIGIN
And this header to allow access:
X-Frame-Options: ALLOW-FROM [uri]
Examples for the options:
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM https://example.com/
An example in PHP:
<?php header('X-Frame-Options: SAMEORIGIN'); ?>
You can read further here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Hope it helps a bit!
回答2:
Content Security Policy headers are now the recommended approach.
Example from MDN:
// iframe can be embedded in pages on the origin and also on https://www.example.org
Content-Security-Policy: frame-ancestors 'self' https://www.example.org;
For more details see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
来源:https://stackoverflow.com/questions/39483348/how-to-allow-iframe-embedding-only-for-whitelisted-websites