Solved

Restricting framing of frame to a specific foreign website

Posted on 2006-10-23
9
355 Views
Last Modified: 2008-02-01
I have a frame hosted on one domain that subscriber websites (with other domains) will be able to incorporate in their websites by framing or using an iframe. I am looking for a way I can prevent rogue websites from framing this frame, hence stealing it's content.
(Please look at the example at http://allstarcomputing.com/svtframetest.asp to see how this currently looks if I am not being clear).
I am an ASP/VBscript guy but I am thinking I need a JavaScript solution to this problem. So I really only have a little of an idea how to do this.  
My idea is that I need to get the URL of the parent frame to compare with the intended parent URL for validation, but my attempts have failed. Specifically when I try to get the Parent window URL with a  I get a message (IE6) "Access is denied". (I don't get this message when I use this frame on it's own domain's frameset, only when I try to frame it with a different domain.
I won't be able to control much on the subsciber's side other than to provide them with a link and perhaps some HTML code they could incorporate - I want it simple for them, but I do have server side capabilities on the frame's server.
Sorry to be so long but I want to make my problem clear.
The question is: How can I validate that the framing site actually corresponds to the site URL encoded in the frame's URL?
0
Comment
Question by:monshes
  • 5
  • 3
9 Comments
 
LVL 16

Assisted Solution

by:OliWarner
OliWarner earned 500 total points
ID: 17792464
I think a frame on another site will display its referrer to your page as that external site, so you should be able to check that against your list of "allowed" domains.

Request.ServerVariables("HTTP_REFERER")
0
 
LVL 16

Assisted Solution

by:OliWarner
OliWarner earned 500 total points
ID: 17792469
I suggest testing that out from a couple of remote domains and making sure the same thing happens in different browsers because referrer code is down to the browser makers to implement. Some may not have it on their code for iframe links.
0
 

Author Comment

by:monshes
ID: 17792888
Regretfully Request.ServerVariables("HTTP_REFERER") will not work for the first time the frameset is loaded. I tried that first. Request.ServerVariables("HTTP_REFERER") is an empty string for the first page loaded in the browser(a distinct possibility if someone bookmarks the frameset, which needs to be possible).
Request.ServerVariables("HTTP_REFERER") only works for this scenario if the frameset is refreshed or loaded by a link on the parent domain. That is why I think I need a JavaScript solution or something transcending this problem.
0
 
LVL 16

Accepted Solution

by:
OliWarner earned 500 total points
ID: 17792943
Is it a proper frameset or just an iframe?

Another option, as you just pointed out, is having the external sites include a JS file on your server. If that JS file were actually an ASP file that outputted JS code, you should be able to do the referrer check and set a session variable on your server if that host is allowed (i'll explain in a bit). Also make sure the JS isn't cached. This can best be achieved by adding a random querystring (that doesn't get read) to the end of URL for the JS file (which is actually an ASP file)

As for the JS itself, work it like adsense (if you've seen the code for that) so that people can customise the way the JS outputs an iframe. So yes. Have that JS output an iframe based on the configuration specified by the external webmasters and link to your asp page inside it.

Here's the clever part: because the request for the JS should have started a session on your server and set a variable, you now know if that user is coming from an allowed site and what to show them.


It's long winded, but it should work.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 16

Assisted Solution

by:OliWarner
OliWarner earned 500 total points
ID: 17792960
And here's an example of adsense code:

<script type="text/javascript"><!--
google_ad_client = "pub-xxxxxxxxxxxxxxxx";
google_ad_width = 728;
google_ad_height = 90;
google_ad_format = "728x90_as";
google_ad_type = "text_image";
google_ad_channel = "";
//--></script>
<script type="text/javascript"
  src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>

As you can see, the variables are specified before the link to the external file. The external js, when loaded, can then read those vars and, in your case, decide how to output the iframe.
0
 

Author Comment

by:monshes
ID: 17793146
I want this frame to work either as a frame in a proper frameset or as an iframe.

I think I get the gist of the adsense idea. I'm going to try it out tommorrow. But........  Now that I'm thinking about it if I incorporate a javascript variable used to validate the framing domain and that code is accesible by View Source, then it seems that that the security intent of this enterprise is compromised. The script could be written into  a frameset by a non-subscriber spoofing themself as a subscriber.
I need a method that a reasonably astute nonsubscribing webmaster cannot easily exploit and then "borrow" the frame into their website. I am hoping there was a way with JavaScript (or anything else) to get the URL of the parent frame (which would be hard to spoof) and crosscheck it with the expected URL of the framing domain (which will be chosen out of a database based on the ID parameter passed in the frame URL). And I'm hoping it's possible :)
0
 
LVL 16

Assisted Solution

by:OliWarner
OliWarner earned 500 total points
ID: 17793170
But if someone goes to one of these external sites, with the information on the page and some simple programming they could easily spoof the referrers.

This is the trade-off between making things easy for other people to use and secure.

If your data needs to be protected that much, you could make the users run server-side code that sends your server private information about itself plus information about the current user. When the same user hits your servers, you should be able to tally that data with their credentials/ip/etc.
0
 
LVL 44

Expert Comment

by:scrathcyboy
ID: 17793604
Frames and Iframes are totally different animals.  You need to FORGET frames for any modern programming, use Iframes instead, and with iframes, it is simple to get the parent in javascript --

parent.item.attribute = new attribute  -- does it in javascript just fine.
0
 

Author Comment

by:monshes
ID: 17797808
In response to scrathcyboy... My situation requires a solution that will work either in frames or iframes because I do not want to limit my subscribers (other webmasters of varying abilities) so as to exclude them. I personally prefer iframes. I cannot use my favorite which is SSI because of the cross domain issues here.

To everyone... I seem to be running into a security issue getting ANYTHING in javascript from the host frameset to the framed window. I get "Access Denied" error messages in IE^ using medium security.

To OliWarner and all... I think your server side idea seems promising. Are you suggesting that the hosting frameset server (pardon my nomenclature - I'm self taught) send something that is not visible in the page source code or the HTTP headers? It sounds good if it is not too hard for subscriber's webmasters to implement on whatever platform they may run. This stuff is not sensitive in any real security sense. I'm just trying to limit the freeloading of what will grow to a large collection of area virtual tour panorama photography display (which itself is secured to some extent already - it will only run on it's own server) which will be tempting to casual framing theft.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Introduction HTML checkboxes provide the perfect way for a web developer to receive client input when the client's options might be none, one or many.  But the PHP code for processing the checkboxes can be confusing at first.  What if a checkbox is…
"In order to have an organized way for empathy mapping, we rely on a psychological model and trying to model it in a simple way, so we will split the board to three section for each persona and a scenario and try to see what those personas would Do,…
This tutorial demonstrates how to identify and create boundary or building outlines in Google Maps. In this example, I outline the boundaries of an enclosed skatepark within a community park.  Login to your Google Account, then  Google for "Google M…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now