HTML: iframe sandbox alternatives - javascript

Some websites has a script that will redirect it to the original site if you tried to put it on an iframe. So to solve this, we have add the property sandbox="allow-scripts" to the iframe tag. But this solution will not work on browser that doesn't support html5. How can we resolve this? Additionally, we still want to have the script activated on the inner pages.

Ask the owners/administrators of the site to give you an authenticated URL for the site that doesn't redirect.
If you're trying to do this without the permission of the owners/adminstrators, then please reconsider your design.

It sounds like the original post is mentioning a frame-busting script which is in place to keep the page contents from being framed, usually to combat click-jacking attacks.
If you have permission from the site you are trying to frame, aka you have a legitimate reason to be framing their site, you should work with the owners of that site to find a work around. One such method would be to have them replace their frame-busting script with an X-Frame-Options header that could list your domain as an allowed domain to frame the content.

Related

Is there a way to prevent page redirection caused by ads?

My site is using Javascript ads code, and sometimes one of the ads redirects the page, and this is not a good practice according to Google (I got banned temporarily by Google until I solved the issue on my site).
Is there a way to prevent external Javascript redirect on the site (beside remove the ads)? Can you do this on the Apache configuration side to keep the domain in the address bar unchanged?
Working on the assumption that the adverts load external code:
Can you do this on the Apache configuration side to keep the domain in the address bar unchanged?
No. The advert isn't coming from your server. Your server can't influence it.
Is there a way to prevent external Javascript redirect on the site (beside remove the ads)?
No. The script will be loaded into the global scope and you have no opportunity to block access to things it might use to redirect.
Removing the ads is the only real option. Don't use advertising platforms that do a bad job of filtering out adverts that use such shady practises.
You can place the advertiser tag inside an iframe and add the sandbox attribute on the iframe.
In the sandbox attribute you specify which capabilities you grant the iframe.
Enter any capabilities you want but omit the allow-top-navigation navigation option and it will not allow it to navigate your site.
You can see all available attribute options here:https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe
Scroll down to the sandbox explanation.
Know that if you put sandbox="" nothing will be allowed because only what you specify will be available for the iframe - and it is a problem for ads. Some advertiser might even serve ads for 100% crippled iframes.

Detecting "Bad Request" or 404 in iframe

Is there a way to detect these website errors in iframes? I am working on a app that has a third party website that has to be embedded into an iframe (trust me I'm not happy about it.) and we have to be able to hide the iframe if these errors occur.
What is the most graceful way to handle this? I have tried a .error, but have had no success. Help would be appreciated so I can keep my brain intact and not have it explode everywhere.
No, it's not.
If iframe is coming from diferent source and doesn't allow access( X-Frame-Options ), you can't do anything about it.
read about it here same origin policy.
There are few things, however, you can do:
If those are singular clicks (people don't navigate further) you can just make request and check content and then actually open iframe.
You can add in app browser like Linkedin for example. Take a look at cordova in app that is really specific solution, different for each platform, but it removes need of iframe.

Same Origin Policy and Facebook

Now I know there are a lot of resources about same origin policy, but I just want a straight up answer for my specific query as I am really struggling to understand.
I am using Facebook plugins on my website, these create iframes that are only visible in the DOM when I use chromes inspect element etc.
Is there a way that I can access these iFrames properties/attributes at all, or is it a resounding "NO CHANCE!". I am spending far too much time on this and I just need to get a final verdict.
Thanks!
Javascript doesn't see the iframe content. Chrome inspector just loads 2 different websites in the same time, yours and the plugins one, so you can play with both of them.
Just curious, how would you like to change it?
In general, JavaScript cannot access iframe content from outside of the iframe, unless the page domain and the iframe domain share the same protocol and host and port. In your case, this could possibly be done using a proxy server to load the iframe content from your domain.
http://en.wikipedia.org/wiki/Same_origin_policy

enforcing a link into iframe

While I'm learning about iframe i found some of the URLs cannot be loaded into iframe. While i tried to load them they replace the current page with that iframe URL page. My friend suggested me to use an iframe enforcer but he is not sure about it.
What I'm wondering is, if it is possible to enforce every url into iframe. If yes which is the best way to do so. Also if this is possible to block our site to load on any iframe. I'm so eager to learn about this.
One of the URL that is not loading is www.dinamalar.com
This is not possible, you cannot load a website into a frame if it doesn't cooperate. Even if JavaScript is off, most browsers already support the X-Frame-Options response header. This is actually a security feature because a malicious website could load a trusted website into a frame and trick the user into clicking a link in it to start some action (Clickjacking).
That said, I think that MSIE's security="restricted" attribute prevents frames from breaking out using JavaScript code the way dinamalar.com does it. I don't think that any browser other than MSIE implements this however (and they don't plan to either).

Iframe Security Issues

We recently had a scenario in which an iframe snippet on a server A was pointing to url on server B. There were some malwares being installed by server A on some clients. Can this iframe be the cause. As in hacker injected his url in the iframe's src. What can be the alternatives to iframe etc.
Most likely you experienced XSS
If a hacker is able to change the URL an iframe points to on your site then the iframe is not the problem, your code is.
Any web site could serve up malware, but you have indicated that the hacker has attacked your site and changed the src attribute of the iframe, not the site serving the iframe contents. Even if you replaced an iframe with something else the fact that an attacker has managed to get to the data behind your web site used to generate the page means that they could not limit themselves to iframes, but embed other tactics, such as a redirect, or a hidden link which is clicked by javascript or any other type of common nasty.
Generally IFrame whose content comes from a different domain cannot access the DOM of the parent web site - due to cross domain scripting restrictions. There were lots of bugs involving browsers not implementing such restrictions properly, so an out-of-date client browser might be the cause.
Unless you're running code inside of the iFrame, which you really shouldn't be, it would be a good idea to disable that iFrame from running any code.

Categories