javascript - Selective Framebursting - Stack Overflow

admin管理员组

文章数量:1296895

i would like to implement selective Framebursting for my iframe application.

My iframe is available at www.mywebsite.con/iframe.aspx?lic=1234

When the third party website hosting my iframe is (PayedWebsited1.con OR PayedWebsited2.con) AND the lic=1234 option also exists, display the iframe. For any other cheaters, display bananas!

How can i do it?

i would like to implement selective Framebursting for my iframe application.

My iframe is available at www.mywebsite.con/iframe.aspx?lic=1234

When the third party website hosting my iframe is (PayedWebsited1.con OR PayedWebsited2.con) AND the lic=1234 option also exists, display the iframe. For any other cheaters, display bananas!

How can i do it?

• javascript
• jquery

Share Improve this question Follow edited May 25, 2012 at 8:04 OrElse asked May 25, 2012 at 7:55 OrElseOrElse 9,9994040 gold badges149149 silver badges265265 bronze badges 2

• You need some server-side language to check this and prodivde the according content. Unless you want to store the possible lic='s in your JS, so everyone can read them. – pdu Commented May 25, 2012 at 8:25
• Hello, could you provide me a small sample? – OrElse Commented May 25, 2012 at 8:54

Add a ment  | 

6 Answers 6

Sorted by: Reset to default 4

The thing is, that licence number won't help in any way - whether you will use server-side solution or in javascript. Cheaters will be able to see that licence number in PayedWebsite1..

As was said, you cannot get the parent frame location, but you can get the referrer - it equals to the parent frame, if your page is loaded in iframe.

if (window.top.location !== document.location) {  // only if we're in iframe
                           // we get host of our referrer
    var host = document.referrer.match(new RegExp("(http|https)://(.*?)/.*$"))[2];
    host = host.toLowerCase();  // convert to lower case
    var myHost = document.location.host.toLowerCase();
    if (
        host !== myHost                  // so we can click on links in an iframe
        && host !== 'payedwebsite1.'
        && host !== 'payedwebsite2.'
    ) {
        window.top.location.href = document.location.href;
    }
}

Be awared, that this technique can be beaten. More info at http://javascript.info/tutorial/clickjacking

For newer browsers, you can send special header:

X-Frame-Options: DENY

The logic keeps the same, only in server-side. Check Referrer, if PayedDomain or your own domain, just keep going. Otherwise, send this header.

If it is possible for your third party users to include a javascript file, or ideally send a request in ASP prior to drawing the page, this is what I would do:

Javascript

1. Build a ASP (I do PHP, so my example is in PHP) page on your server that checks the referrer and the license number to match an account in your database. The ASP file should then output javascript functions that will replace or insert into the element your specified iframe with a "one-time-use" key that you generate. The file might look similar to this:

   <?php
   $lic = $_GET['lic']; // Do better validation (short for demo purposes)
   if (valid_license($lic, $_SERVER['HTTP_REFERER'])) {
       $one_time_key = get_access_key($lic);
       ?>
       function drawIframe() {
           document.getElementById('iframe_target').innerHTML = "<iframe src='mysite.php?key=<?php echo $one_time_key;?>'></iframe>";
       }
       <?php
   }
   else {
       echo "You are not authorized to use this service.";
   }
   

2. Have your customer include this javascript code as a replacement of your iframe, in a fashion similar to this:

   <script src="http://www.yoursite./preauth.php?lic=1234"></script>
   <script>drawIframe();</script>
   <div id="iframe_target"></div>
   

3. On the page that is loaded by the iframe, immediately check the key that you generated against the value passed to the iframe. If it is valid, immediately delete or change the status of the key so that you know it's been used. Then display appropriate application.

   • This javascript method will be the least painful method for your third party users, although it can be beat (users could change the "referer" that is sent to your server, although it is unlikely.)

ASP

If you can get your users to make a request to your url within their server, you will eliminate exposing any risky information like the license to the user. They could call something like $key = file_get_contents("http://www.yoursite./preauth.asp?lic=1234"); Immediately after they can output the iframe with the one time use key that you just generated.

Due to security, your browser will not allow you to use javascript to detect the URL of the parent page (i.e. the page that contains the iframe that displays your page).

The only solutions I can think of are:

1. Insist that users of your iframe.aspx page, include an additional GET param that states the domain that they are using.
2. Use the Request.UrlReferrer to get the referrer

On the page which you render, you should have a literal that, should you want to prevent the person from framing your page, you can simply add the javascript required to force the frames.

Unfortunately if Javascript is disabled, this will render your code useless...

Hope this helps?

protected void page_load(object sender, EventArgs e)
{
    bool killFrames = false;
    if(Request.QueryString["lic"] == null)
        killFrames = true;
    if(!killFrames && Request.UrlReferrer != null)
    {
        // do some database check against the LIC and Referrer
        // and set killFrames accordingly.
    }
    if(killFrames)
    {
        literalFrame.Text = "<script type=\"text/javascript\">if(top.location != location) { top.location.href = document.location.href; }</script>";
        // or show the bananas
    }
    else
    {
        // render the page accordingly.
    }
} 

I will try to point a solution for your general problem and not this particular technical problem, which as far as i know is impossible for security precautions done by all web browsers.

---

You need some sort of hand-shake between their app and yours and that haves to be done server-side.

Every PayedWebsite should have a password (or if they hava a static IP you could use that). Internally on their server (using CURL may be) they shold send you -via POST- their password; then you return a token that is used in the iframe.

iframe.aspx?lic=1234&token=d16evg5tr44e0trty45xp6es5

And the token only works once; so the process haves to be repeated every time the iframe needs to be opened. And you refuse every connection that doesn't include a valid token.

I'm not a .NET expert, but it looks like your solution could be easily solved by tracking the referral header that the client sends to your page when loading the iframe content.

You may want to refer to another question regarding refer headers: how should we validate http header referrer in aspx

Basically, you would do the following

1. Use the referral header to get the domain name
2. Look up the domain name in your database (to see if there was a license for that site)
3. Send the real page, or the bananas depending on the result of the match.

Global.asax did the trick!

Sub Application_BeginRequest(ByVal sender As Object, ByVal e As EventArgs)
        Dim ref As String = HttpContext.Current.Request.ServerVariables("HTTP_REFERER")
        If Not ref.Contains("PayedWebsited1") And Not ref.Contains("PayedWebsited2") Then
            Response.Redirect("MYDOMAIN", True)
        End If
 End Sub

Thanks to all!

本文标签： javascriptSelective FrameburstingStack Overflow