In our app, we allow people to embed videos using iframe or script tags. But we dont want to allow the people watching the video to easily copy these embed codes and post them elsewhere.
For iframes - what we've done is, in the iframe tag, we replace the src attribute's value with a proxy URL we have setup inside our application which simply redirects to the actual src URL. Besides this, it also does the authentication at this stage.
Clever people will surely be able to crack this, but this seems like a good solution for most cases since when they try to inspect the dom they only see the proxy URL and not the actual one.
For < script/> - I tried doing the same, but did not work out.
Eg. -
<div id="wowza_player"><script src='//player.cloud.wowza.com/hosted/abcdefg/wowza.js' type='text/javascript'></script></div>
Is there anyway to obfuscate or prevent abuse of these embed codes?
Thanks!
In case of iFrame, it can be possible to verify the domain that "call" the iframe using the referer. See How to limit display of iframe from an external site to specific domains only
Related
I'm getting very confused reading all the examples about how to use window.postMessage() with iframes because they all involve one page being notified of activity, like clicks, happening in the other. Or else they only output some text to the console. I just want to get the original iframe embedding working, nothing else.
I have a page at https://subdomain.example.com/page1/ that contains an iframe like this:
<iframe src="https://example.com/page2/" name="myIframe"></iframe>
Obviously this doesn't work because the origins are different. How do I make it work using postMessage()? Once the iframe has loaded the pages don't need to communicate or know anything about each other.
I want to include an external (external domain) html page into my page. For SEO reasons iframe, object or embed are not useful, there are just a link in my source file. PHP's include function is very helpful but it causes many problems for UI. I want contents of include function and view of iframe.
How can I do that?
Thanks.
There's no reasonable alternative to <iframe>.
Who knows if you could extract the markup from the site from the server-side and print that HTML inside a <div> in your own site, but I doubt that this could ever work, because if the whole target site does AJAX requests, WebSockets or whatever, it should be secure enough to block you from performing them from other domains than allowed ones by themselves (i.e. their official domains).
If you are adding content from an external source the it should really have 0 impact on your SEO. Needs to be your own content as far as I am aware. You could try scraping the external source and using Ajax add it to your page using $().load() or similar... Wouldn't recommend though!
Some websites has a script that will redirect it to the original site if you tried to put it on an iframe. So to solve this, we have add the property sandbox="allow-scripts" to the iframe tag. But this solution will not work on browser that doesn't support html5. How can we resolve this? Additionally, we still want to have the script activated on the inner pages.
Ask the owners/administrators of the site to give you an authenticated URL for the site that doesn't redirect.
If you're trying to do this without the permission of the owners/adminstrators, then please reconsider your design.
It sounds like the original post is mentioning a frame-busting script which is in place to keep the page contents from being framed, usually to combat click-jacking attacks.
If you have permission from the site you are trying to frame, aka you have a legitimate reason to be framing their site, you should work with the owners of that site to find a work around. One such method would be to have them replace their frame-busting script with an X-Frame-Options header that could list your domain as an allowed domain to frame the content.
While I'm learning about iframe i found some of the URLs cannot be loaded into iframe. While i tried to load them they replace the current page with that iframe URL page. My friend suggested me to use an iframe enforcer but he is not sure about it.
What I'm wondering is, if it is possible to enforce every url into iframe. If yes which is the best way to do so. Also if this is possible to block our site to load on any iframe. I'm so eager to learn about this.
One of the URL that is not loading is www.dinamalar.com
This is not possible, you cannot load a website into a frame if it doesn't cooperate. Even if JavaScript is off, most browsers already support the X-Frame-Options response header. This is actually a security feature because a malicious website could load a trusted website into a frame and trick the user into clicking a link in it to start some action (Clickjacking).
That said, I think that MSIE's security="restricted" attribute prevents frames from breaking out using JavaScript code the way dinamalar.com does it. I don't think that any browser other than MSIE implements this however (and they don't plan to either).
I am working on a game in Javascript, and I would like to be able to include a modding API. How can I allow a developer to execute arbitrary code using my API while keeping them from doing malicious activities (stealing cookies, redirecting to a malicious site)?
There's a project by Google that aims to allow you to do something like this.
I'm working on something like this and my solution was to run the script-ables inside an iFrame that points to a subdomain (http://bar.foo.com) instead of the main site (http://foo.com). Input is provided to the script via url #fragment#identifiers and output is provided through the URL fragment identifier of a nested, invisible iFrame pointing back at the original name.
Remember, you can set a child frame's URL even if you can't see it, and you can always check a frame's specific URL if it's on the same domain.