0

I don't want anybody to be able to use the iframe content without my permissions. How can I allow only domains of my choice to be able to embed the iframe with the page's content?

My problem is like that:In my asp.net web page one iframe and this iframe load dynamicaly. when my web page is loaded first time my web page url is like:http://examle.com and my iframe src attribute url is like :http://example.com/anotherwebpage.aspx.

i want to restrict anyone can not changes my iframe src attribute url without my permission.How to do this.

Claudio Santos
  • 1,307
  • 13
  • 22
Priti kumari
  • 79
  • 2
  • 12

2 Answers2

4

Use The X-Frame-Options response header.

In the HTTP response for the document you want to prevent being show in frames on other websites include:

The X-Frame-Options: SAMEORIGIN

Then http://example.com/ can embed http://example.com/foo but http://example.net/ cannot.

(Note that old browsers will ignore this header, but it will block it on sufficient modern browsers to make it not worthwhile for other sites to try to embed it).

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • Awesome, but the second one still be a solution! – Claudio Santos Apr 23 '14 at 19:22
  • I have already try this option but i am not getting solution....plz suggest me another option... – Priti kumari Apr 24 '14 at 06:52
  • I have use this code in web.config file ............... But its not working when i add other site url in iframe src attribut then iframe show other website in my web site iframe. – Priti kumari Apr 24 '14 at 07:52
  • Why is that a problem? – Quentin Apr 24 '14 at 07:53
  • Actually i want to restrict another domain site to add in my web site iframe.but i am not able to do this.after using x frame option in web config still my web site iframe adding other site in it. – Priti kumari Apr 24 '14 at 09:25
  • Then either (1) You are using an old browser that doesn't support X-Frame-Options (which doesn't really matter since most people won't be so it won't be worth while for third parties to try to embed your site) or (2) You haven't configured your server to send the header correctly. – Quentin Apr 24 '14 at 09:33
  • I am using Browser IE9 and chrome latest version.I am apply restriction for security purpose.i want no one can embed other site in iframe of my site. – Priti kumari Apr 24 '14 at 09:38
  • IE8 supports it. Therefore the problem is, presumably, option 2. (Or option 3: Your test is bad) – Quentin Apr 24 '14 at 09:42
  • Hang on a minute. You want to stop other people putting their sites in your iframes?! Since you control the `src` attribute of your iframes, why is that something you need to prevent? They can't do it in the first place. – Quentin Apr 24 '14 at 09:43
  • yes i want to stop other people putting their sites in my iframes.and how to control src attribute.i need to prevent this becoz i want to secure my site from hacker......i think u r iritat from my question.....sory but its my requirment. – Priti kumari Apr 24 '14 at 10:01
  • You control the `src` attribute because you are writing the HTML on your site and the `src` attribute is on your site. (This is, however, exactly the opposite of what your question is asking, so you should probably make it a new question … and make sure you explain why you think that other sites can put themselves into your iframes) – Quentin Apr 24 '14 at 10:03
  • Please see this link........http://www.codeproject.com/Articles/291562/Asp-net-web-application-Security-Review-Dos-Dont – Priti kumari Apr 24 '14 at 11:35
  • What about that link? – Quentin Apr 24 '14 at 11:38
0

Add this to your Web.config. This would add another header to your http response.

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="X-Frame-Options" value="sameorigin"/>
        </customHeaders>
    </httpProtocol>
</system.webServer>
Rahul Punyani
  • 1