javascript - How to restrict website to load only inside an iframe?

Question

Welcome To Ask or Share your Answers For Others

javascript - How to restrict website to load only inside an iframe?

posted Feb 19, 2021 in Technique[技术] by 深蓝 (71.8m points)

javascript - How to restrict website to load only inside an iframe?

I have two web sites:

https://exampleiframe.com (third-party website),
https://example.com (my website)

I want to restrict https://example.com to load only inside iframe of https://exampleiframe.com

I have added ??? below CSP in the response header for https://example.com.

"Content-Security-Policy": "frame-ancestors 'self' https://exampleiframe.com"

This policy only restricts when the request is coming from an iframe. But I don't want to load this url (https://example.com) anywhere other than this iframe.

与恶龙缠斗过久,自身亦成为恶龙；凝视深渊过久,深渊将回以凝视…

1 Reply

深蓝 · Answer 1 · 2021-02-19T03:49:02+0000

If you wish to restrict direct access to page via Url and allow show it in iframe only - it's not solvalble with CSP. CSP only restricts Urls for framing (you shown correct CSP for that).

But you can use JavaScript and if self === top perform redirect to /not_allowed Url.
Myy be it's possible to use some data- attribute like <iframe data-access='framed' src=''></iframe> and check this attribute by JS inside iframe (if it is accessible). Direct Url will not have such data- attribute.

But such check will fail with disabled javascript.

Categories

javascript - How to restrict website to load only inside an iframe?

javascript - How to restrict website to load only inside an iframe?

Please log in or register to add a comment.

Please log in or register to reply this article.

1 Reply

Please log in or register to add a comment.

Just Browsing Browsing

Most popular tags