Using Javascript to Disallow IFramed
By accident, I accessed http://www.webupd8.org/, which uses the following JavaScript to disallow other sites to put its webpages into iframe.
If you put it the follow iframe in webpage, it will open an alter dialog and redirect to its original site webpage.
<iframe src="http://www.webupd8.org/"></iframe>
How it's implemented
It compares the top window with self, if they are not same, then current page is put inside a frame.
The top property returns the topmost browser window of the current window.
The self property returns the current window.
But this protection can be easily bypassed and hacked.
In HTML5, the iframe has a new attribute sandbox to help safeguard your site from the embedded iframe.
allow-same-origin - allows the iframe to access cookies and local storage from the parent, as if it came from the same domain.
allow-top-navigation - allows the iframe to navigate the parent to a different URL.
allow-forms - allows form submission
allow-scripts - allows JavaScript execution
allow-popups - allows the iframe to open new windows or tabs
allow-pointer-lock - allows pointer lock
so if we add sandbox="" or just sandbox in the iframe attribute, then brwoser will disallow javscript in the iframe to be executed. Then the previous javascript protecttion would be voided.
<iframe allowtransparency="true" frameborder="0" sandbox="" scrolling="no" src="http://www.webupd8.org/" style="border: none; overflow: hidden;"></iframe>
Resources
Protect Your Website From Its Embedded Content With Iframes
HTML iframe sandbox Attribute
By accident, I accessed http://www.webupd8.org/, which uses the following JavaScript to disallow other sites to put its webpages into iframe.
If you put it the follow iframe in webpage, it will open an alter dialog and redirect to its original site webpage.
<iframe src="http://www.webupd8.org/"></iframe>
How it's implemented
It compares the top window with self, if they are not same, then current page is put inside a frame.
The top property returns the topmost browser window of the current window.
The self property returns the current window.
<script type='text/javascript'> // <![CDATA[ if ( top != self) { top.location.replace(document.location); alert("iFrame not allowed; click OK to load this page without the iFrame.") } // ]]> </script>How to Hack It
But this protection can be easily bypassed and hacked.
In HTML5, the iframe has a new attribute sandbox to help safeguard your site from the embedded iframe.
allow-same-origin - allows the iframe to access cookies and local storage from the parent, as if it came from the same domain.
allow-top-navigation - allows the iframe to navigate the parent to a different URL.
allow-forms - allows form submission
allow-scripts - allows JavaScript execution
allow-popups - allows the iframe to open new windows or tabs
allow-pointer-lock - allows pointer lock
so if we add sandbox="" or just sandbox in the iframe attribute, then brwoser will disallow javscript in the iframe to be executed. Then the previous javascript protecttion would be voided.
<iframe allowtransparency="true" frameborder="0" sandbox="" scrolling="no" src="http://www.webupd8.org/" style="border: none; overflow: hidden;"></iframe>
Resources
Protect Your Website From Its Embedded Content With Iframes
HTML iframe sandbox Attribute