How can I detect if someone tries to use iframe with my site on his own site? Example person tries to put this code on his site. <IFRAME SRC="http://mysite.com" WIDTH=440 HEIGHT=110> </IFRAME> Code (markup): Is it possible to not allow it? Thanks.
you can use frame breaker, so any site what will iframe you, will be closed and will be opened yours site instead his!
You can try to add this code yo your site's header. <head> <script language="JavaScript" type="text/javascript"> <!-- function break_frame() { if (top.location != location) { top.location.href = document.location.href; } } --> </script> </head> HTML:
iFrames when used without permission of the website owner: -They can result in unexpected bandwidth usage. -Some search engines ignore the contents of a iframe which can results in no search engine gains like better SERP position or backlinks. -The offending website gets to profit off of your content. -Visitors to the offending website do not see the framed website's URL. -The offending website can use your website in fraud, cross-site scripting, and other tricks. -More issues not mentioned...
There are also some anti-clickjacking headers which prevent frames. It's not that well supported, but it's better than nothing: header("X-FRAME-OPTIONS: DENY"); to deny all frames header("X-FRAME-OPTIONS: SAMEORIGIN"); to only allow frames from the same domain
Blah. I own many sites and understand the issues, but your list is reaaaally grabbing at straws trying to find a reason to hate iframes. -They can result in unexpected bandwidth usage. Yes, from traffic you didn't expect. Waaah? Keep in mind that they're not blocking your ads or anything else. If someone is seeing your site through an iframe and clicks a link, you still get paid. -Some search engines ignore the contents of a iframe which can results in no search engine gains like better SERP position or backlinks. So wait, you hate people sending you traffic if it doesn't count towards your SERP?? Come on now. -The offending website gets to profit off of your content. And so do you. Look at it as a really one-sided affiliate program. I guarantee the vaaaaast majority of clicks will be for ads on your site. If not, you really need to look at how you're displaying them. Sure the "offender" may make a buck having a few ads in a header, but if yours are relevant and well placed you'll do a lot better. It's free traffic!! -Visitors to the offending website do not see the framed website's URL. Oh noes! Really? This even made the list? You're making money off the visitors, what do you give a damn?! Sure it would be super cool if everyone knew your site (I suggest a logo) but something is better than nothing. -The offending website can use your website in fraud, cross-site scripting, and other tricks. Sure, please show me how an iframe is going to do that. Sorry for being so harsh on you but I see this crap list of excuses floating around way too much. Give me 3min with preg_match and I'll still cost you just as much bandwidth. Be a dick and I'll pull out all your ads and put my own in there too, and you'll still be spending bandwidth. See how it solves nothing?
This was exactly how the twitter attack happened a few months ago. The attacker used "clickjacking". They use a hidden iframe positioned above a button or link (could even attach it to your mouse arrow via javascript i guess), and CSS styling so that the iframe is at the position they want; above a link, button, etc. Then once the user clicks the button they think is from website X, they actually click on website Y, which could have bad effects..
@Goramba I did not say I hate the use of iframes, however Michelle asked a question about what "harm" iframes can pose, and I answered that. While iframes may have great benefits, that is no reason to ignore the negative/improper ways they can be used. IFrames can be easily manipulated (for certain sites) to show content that do not show links or the actual origin of the iframe to the common user, and can be used as an hotlinking tool. if I were to simply limit the size of an iframe to just show a 200px by 200px section of content, it won't provide much of a showing to other parts of my website including my ads. Anyway, the importance of this is on a person by person basis, and may be amplified considering the other information I gave. Once again, the importance of this is on a person by person basis. If the offending website was to just link to another website instead of embed its content, there would be a better chance of gaining SERP and a backlink which are very important for many website owners. Many people do not want another website to, nor think that another website has the right to, profit off of their website by basically carbon copying (in the view the visitor) its content, whether in parts or as a whole. The website owner has the clear right to profit off of their own website. This is one of the main reasons why the DiggBar was controversial. Do a Google search on "DiggBar controversy" and that may help you understand why many website owners dislike not having their website's URL in the address bar due to an iframe. Modern browsers usually do properly block cross-site scripting using iframe besides an occasional exploit (along with other iframe exploits that may appear). Clickjacking, as mentioned by premiumscripts, is a good example of a publicized iframe trick that can inflict harm. However, it could be even more simple than that. For example, If I own bankofamericas.com I could place bankofamerica.com in an 100%/100% iframe so that users will be able to login to their accounts, and therefore have no reason to be suspicious (the login is not a problem for BoA because the login is seen only by BoA and not my fraud website). I could then serve a (div) popup requesting account information, I could change the iframe to redirect to a information request page posing as a BoA official page. Though a trick like the one I mentioned could be done without an iframe in different ways, the iframe would provide a stronger sense of security to the user because the user would see a fully functional bankofamerica.com website. So yes, Goramba, though you may not consider any of the items on the list as problems, some of these issues may be core concerns for web owners that aren't willing to be as "open" as you are.
Btw, the original frame busting code can quite easily be prevented by something like this: var prevent_bust = 0 window.onbeforeunload = function() { prevent_bust++ } setInterval(function() { if (prevent_bust > 0) { prevent_bust -= 2 window.top.location = 'http://server-which-responds-with-204.com' } }, 1) Code (markup): The only requirement is that the server responds with a 204 no content header. The better way would be this: function bust() { if (top != self) setInterval("top.location.replace('http://cached-bust-out-page.com/with/redirect')",1); } Code (markup): See http://coderrr.wordpress.com/2009/02/13/preventing-frame-busting-and-click-jacking-ui-redressing/ and http://coderrr.wordpress.com/2009/06/18/anti-anti-frame-busting/
Kudos on not giving into my bash. I had a long day and your reasons brought back the nightmare I had of using iframes to display other sites. I was building a site free of ads, totally free, non-profit as a proof-of-concept that displayed sites in floating windows via iframe. There's a surprising number of sites that use a framebreaker script. Even sites that don't need to, I think Fox was one of them. Anyway, my argument still stands but I could have gone about it differently. Best wishes.
No offense taken. I happen to use frame breakers on my website because in the distant past, I used to use a free dot.tk forward domain and wanted people to see the actual URL of my webpage just in case I no longer controlled the dot.tk domain. It was also to prevent the dot.tk popups. Since then, the frame breaker just became a standard, "why not" part of my code.
Has nothing to do with HTML 5, these are headers you send out via your php app or whatever (serverside). Anyway, they're introduced by microsoft and available from IE8. Safari 4 and chrome now also support these headers. If you have an older browser, this will have no bad effect, it will just mean those aren't protected.
It could be that the other site is loading his site in a 1x1 pixel iframe with the sole intent of DDOSing his site.
Well, breaking out of iframes for DDOS protection is a little far fetched There are better solutions to protect against that. Besides, what's to prevent the attacker from just switching to img tags for the attack?
Touche... Although it would at least get him a lot of (potentially) useful traffic in the case of tiny iframes!