• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1737
  • Last Modified:

How to limit access of external url iframe to a specific parent url

Hello

Is it possible to determine the url of the opening parent for an external url iframe.

We want to only allow the iframe to be populates from within a specific site.

cheers
stu
0
stucal
Asked:
stucal
1 Solution
 
pigmentartsCommented:
Not that I know of from within the iFrame, however you could easly just post the URL into the iframe
for example


<cfset parent = #cgi.server_name##cgi.script_name#?#cgi.query_string#>

<iframe src ="index.cfm?parentURL=#parent#" >

</iframe>

Open in new window

0
 
stucalAuthor Commented:
That wont really help we are trying in effect to secure the execution of the iframe content to one site, this would allow running from anywhere as the parent is avaiabale in the source of the parent site.

I suppose it cant be done.
0
 
pigmentartsCommented:
if you have access to the page with the iframe on then it's a simply process of detecting the page and choosing to not show the contents of the iframe (but the iframe will still be loaded).

However if you only have the iframe and don't have access nor know who the parent page is, then its already executed by the time the iframe loads, and you would need JavaScript. It 100% doable in JS

you can tell if you are being framed with javascript.  for example within your iframe you could get the parent url

parent.location.href


0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
stucalAuthor Commented:
The iframe is on an external domain, will parent.location.href show the calling domain even if its differnt to the iframe source?
0
 
pigmentartsCommented:
It should do, it will be called client side
0
 
ProculopsisCommented:

I'm not sure if I've got this right but surely all you need to do is validate #CGI.HTTP_REFERER# within the iframe cfm and make sure the domain is approved.
0
 
pigmentartsCommented:
Have not tried it in an iframe, my guess is that it would not work as it's called within the iframe.

I perosnally keep away from CGI.HTTP_REFERER not all clients will send the refering address and you will block genuine users who have set high seurity setting or have a firewall like Zone Alarm running etc.
0
 
docnicaCommented:
why not putting the iframe inside a cfif? I donĀ“t really undestand what your are trying to do. I recently had to pass a PCI certification so we had to deal with a lot of issues like that, if you explain more I may be able to help.
0
 
stucalAuthor Commented:
We did not go for an iframe in the end, but this seemed to be the most likely solution
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now