monshes
asked on
Restricting framing of frame to a specific foreign website
I have a frame hosted on one domain that subscriber websites (with other domains) will be able to incorporate in their websites by framing or using an iframe. I am looking for a way I can prevent rogue websites from framing this frame, hence stealing it's content.
(Please look at the example at http://allstarcomputing.com/svtframetest.asp to see how this currently looks if I am not being clear).
I am an ASP/VBscript guy but I am thinking I need a JavaScript solution to this problem. So I really only have a little of an idea how to do this.
My idea is that I need to get the URL of the parent frame to compare with the intended parent URL for validation, but my attempts have failed. Specifically when I try to get the Parent window URL with a I get a message (IE6) "Access is denied". (I don't get this message when I use this frame on it's own domain's frameset, only when I try to frame it with a different domain.
I won't be able to control much on the subsciber's side other than to provide them with a link and perhaps some HTML code they could incorporate - I want it simple for them, but I do have server side capabilities on the frame's server.
Sorry to be so long but I want to make my problem clear.
The question is: How can I validate that the framing site actually corresponds to the site URL encoded in the frame's URL?
(Please look at the example at http://allstarcomputing.com/svtframetest.asp to see how this currently looks if I am not being clear).
I am an ASP/VBscript guy but I am thinking I need a JavaScript solution to this problem. So I really only have a little of an idea how to do this.
My idea is that I need to get the URL of the parent frame to compare with the intended parent URL for validation, but my attempts have failed. Specifically when I try to get the Parent window URL with a I get a message (IE6) "Access is denied". (I don't get this message when I use this frame on it's own domain's frameset, only when I try to frame it with a different domain.
I won't be able to control much on the subsciber's side other than to provide them with a link and perhaps some HTML code they could incorporate - I want it simple for them, but I do have server side capabilities on the frame's server.
Sorry to be so long but I want to make my problem clear.
The question is: How can I validate that the framing site actually corresponds to the site URL encoded in the frame's URL?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I want this frame to work either as a frame in a proper frameset or as an iframe.
I think I get the gist of the adsense idea. I'm going to try it out tommorrow. But........ Now that I'm thinking about it if I incorporate a javascript variable used to validate the framing domain and that code is accesible by View Source, then it seems that that the security intent of this enterprise is compromised. The script could be written into a frameset by a non-subscriber spoofing themself as a subscriber.
I need a method that a reasonably astute nonsubscribing webmaster cannot easily exploit and then "borrow" the frame into their website. I am hoping there was a way with JavaScript (or anything else) to get the URL of the parent frame (which would be hard to spoof) and crosscheck it with the expected URL of the framing domain (which will be chosen out of a database based on the ID parameter passed in the frame URL). And I'm hoping it's possible :)
I think I get the gist of the adsense idea. I'm going to try it out tommorrow. But........ Now that I'm thinking about it if I incorporate a javascript variable used to validate the framing domain and that code is accesible by View Source, then it seems that that the security intent of this enterprise is compromised. The script could be written into a frameset by a non-subscriber spoofing themself as a subscriber.
I need a method that a reasonably astute nonsubscribing webmaster cannot easily exploit and then "borrow" the frame into their website. I am hoping there was a way with JavaScript (or anything else) to get the URL of the parent frame (which would be hard to spoof) and crosscheck it with the expected URL of the framing domain (which will be chosen out of a database based on the ID parameter passed in the frame URL). And I'm hoping it's possible :)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Frames and Iframes are totally different animals. You need to FORGET frames for any modern programming, use Iframes instead, and with iframes, it is simple to get the parent in javascript --
parent.item.attribute = new attribute -- does it in javascript just fine.
parent.item.attribute = new attribute -- does it in javascript just fine.
ASKER
In response to scrathcyboy... My situation requires a solution that will work either in frames or iframes because I do not want to limit my subscribers (other webmasters of varying abilities) so as to exclude them. I personally prefer iframes. I cannot use my favorite which is SSI because of the cross domain issues here.
To everyone... I seem to be running into a security issue getting ANYTHING in javascript from the host frameset to the framed window. I get "Access Denied" error messages in IE^ using medium security.
To OliWarner and all... I think your server side idea seems promising. Are you suggesting that the hosting frameset server (pardon my nomenclature - I'm self taught) send something that is not visible in the page source code or the HTTP headers? It sounds good if it is not too hard for subscriber's webmasters to implement on whatever platform they may run. This stuff is not sensitive in any real security sense. I'm just trying to limit the freeloading of what will grow to a large collection of area virtual tour panorama photography display (which itself is secured to some extent already - it will only run on it's own server) which will be tempting to casual framing theft.
To everyone... I seem to be running into a security issue getting ANYTHING in javascript from the host frameset to the framed window. I get "Access Denied" error messages in IE^ using medium security.
To OliWarner and all... I think your server side idea seems promising. Are you suggesting that the hosting frameset server (pardon my nomenclature - I'm self taught) send something that is not visible in the page source code or the HTTP headers? It sounds good if it is not too hard for subscriber's webmasters to implement on whatever platform they may run. This stuff is not sensitive in any real security sense. I'm just trying to limit the freeloading of what will grow to a large collection of area virtual tour panorama photography display (which itself is secured to some extent already - it will only run on it's own server) which will be tempting to casual framing theft.
ASKER
Request.ServerVariables("H