Solved

Block a domain or it's IP that shows our content in an IFrame

Posted on 2013-11-09
19
447 Views
Last Modified: 2013-12-10
Hi,
We've a busy site (Drupal 6) and we are showing some information (this is something that can be considered as our Intellectual Property that doesn't come into public domain) to everyone without login or any protection, now there is a website which is showing our content in an iframe,  I installed a module called Go Away (https://drupal.org/project/goaway) and banned this website's IP but it didn't help and it's still showing.

Then I blocked this IP and domain in CPANEL, this also didn't help, I'm wondering if a script is treated differently then a client like a browser? And this is why any blocking not working on it?

Kindly suggest a fix to block it, though we are in the process of sending them a legal notice we still want to block them.
0
Comment
Question by:practitioner
  • 7
  • 4
  • 4
  • +4
19 Comments
 
LVL 9

Assisted Solution

by:oliverpolden
oliverpolden earned 250 total points
ID: 39635589
You can't block a website from loading a page in a iframe like that because the IP address is of the person viewing the page not of the website.

If this is information that shouldn't be public then you need to make it private to everyone, even those on your site.

However it sounds like this should be public so what I would do is an iframe breakout. Then if your page is viewed in an iframe on somebody else's site, the iframe would break out and display your site in full.

Here's a link that shows you how to do it. You might want to tweak it so it checks to see if the parent domain is your domain.
http://css-tricks.com/snippets/javascript/break-out-of-iframe/

Kind regards,
Oliver
0
 
LVL 17

Expert Comment

by:nanharbison
ID: 39635610
You could create a content type, let's call it "private" and set the permissions for that content type  to be viewed only by users who are logged in (authenticated users). Then change this page to the content type called private. This module allows you to change the content type of nodes:
https://drupal.org/project/node_convert
0
 

Author Comment

by:practitioner
ID: 39635666
Hi OliverPolden,
Yes, what you said is absolutely right, an iframe needs to be broken in my case and yes, the IP would be the of the person who is accessing and not of the website that is including it in the iframe src.

I implemented it but it didn't work at the target website, I suspect that it's because it's simply not a src, it's loaded dynamically through JQuery, here how this site implements this:
function getData() {
            if (trim(document.getElementById("txtmyvalue").value) == "") {
                alert("Please enter a valid number.");
                document.getElementById("txtmyvalue").focus();
            }
            else
                if (trim(document.getElementById("txtmyvalue").value).indexOf("-") == -1) {
                    alert("Number should be in a valid format");
                    document.getElementById("txtmyvalue").focus();
                }
                else {
                    var container = $('#target');
                    var msg = $('#msg');
                    var url = "http://www.mydomain.com/mypath/" + trim(document.getElementById("txtmyvalue").value);
                    doAjax(url, msg, container);
                }
            return false;
}

Open in new window


I'm not sure how to break this? Please help.

@nanharbison, thanks for the reply, unfortunately, this is not how we want to make it available, we want everyone to access it without any restriction if they are on our website.
0
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 250 total points
ID: 39635672
You can't do this on the server AFAIK, however you can use JavaScript to compare top and self.  If they don't match... document.write('goodbye!')

You might also want to make a Google search for the X-FRAME-OPTIONS header.  Look for DENY and SAMEORIGIN.  Modern IE, Safari, Chrome and Firefox all support this header.
0
 

Author Comment

by:practitioner
ID: 39635692
Thanks Ray,
We've a managed dedicated server, I've raised a ticket to add:
Header always append X-Frame-Options SAMEORIGIN

I'll post update once it is done.
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 39635695
That should do it, but you could always take the "belt-and-suspenders" approach and put in the JavaScript.  It would be especially useful if there are other parts of the site that depend on JavaScript :-)
0
 

Author Comment

by:practitioner
ID: 39635723
Hi Ray,

I'm wondering why JavaScript doesn't fire on the other website? I tried alert and everything to make sure it's working, but I guess it doesn't work and this is why document.write or innerHTML is not being replaced when self and top are not matching.


I'm still waiting for the Data Center's update
0
 

Author Comment

by:practitioner
ID: 39635728
I first tried a simple alert and no decision construct, it worked on my site and alert appeared but not on the other site where it is being loaded in iframe.

I'm not sure what is wrong with it?
0
 
LVL 58

Expert Comment

by:Gary
ID: 39635818
If nothing else works and knowing js will not run and you are more bothered about the IP content then set the IP content to no display. On page load use js to show it.

Of course you could do this to everything on the page, but I would be worried about the SEO aspect of this.

(Or are you saying all the content is IP?)

Edit.
Another thought, add an overlay div with a nice text to visit your real site and use js to remove it.
Combined with some of the other options Ray has mentioned you can cover all your bases.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 39635946
This is one case where checking the 'HTTP_REFERER' would be a good idea.  If the REFERER is their web page or domain, just don't send any content.
0
 

Author Comment

by:practitioner
ID: 39636038
Since the javaScript not running when it is on the other domain, I started checking again and in firebug I found that it is yahooapis that they have used and get the data in xml format:
GET http://query.yahooapis.com/v1/public/yql?q=select * from html where url%3D%22http%3A%2F%2Fwww.mydomain.com%2Fmy-custom-path%2FAN0011-02-015%22&format=xml%27&callback=jQuery15206903208556229895_1384026595085&_=1384026614751

:-( so there is no iframe, this is why JavaScript things didn't work, now neither JS solution nor
Header always append X-Frame-Options SAMEORIGIN at apache will help.

How do I prevent yahooapis to query the site?

Thanks Gary for the great input, thanks Dave.
0
 
LVL 58

Expert Comment

by:Gary
ID: 39636042
The overlay idea will still work as it relies on css only and then js at load to remove it (maybe)
0
 
LVL 58

Expert Comment

by:Gary
ID: 39636063
0
 
LVL 12

Expert Comment

by:Mohamed Abowarda
ID: 39636644
You can detect if the website is being viewed by Iframe or not and then redirect to another page if Iframe is detected:
if (window != window.top)
{
     location.href = "URL to redirect to if the user is seeing your page from Iframe...";
{

Open in new window

0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 39637030
Since we were relying on the assertion that it was iFrame, we may have been off the mark on possible solutions.  Please post the actual URL of the site in question and we can take a look at what is going on.  Some screen shots would be helpful, too.  The closer we can get to the SSCCE, the better.
0
 

Author Comment

by:practitioner
ID: 39638000
@Ray,
With due regards, I admit that this post is off track, the original issue that was posted to EE was breaking an iframe and I got two fantastic solutions, very first reply from OliverPolden and one from you. These two replies are the solution of iframe issue so to justify the points distribution I'll close this post by dividing the points between you and OliverPolden. I hope it's fair.

Now coming to the issue which I found later (my fault) that it's YQL and not iframe, I'll create another post and assign full points to GaryC123 who suggested a link to block YQL:
http://developer.yahoo.com/yql/guide/limit_access_content_providers.html

@Gary, thanks for the link. @Everyone thanks for your kind support, please read below:

We
1. Blocked Yahoo Pipes 2.0 in robots.txt
2. Blocked "Yahoo Pipes" user agent in .htaccess
3. Blocked "Yahoo Pipes" user agent in httpd.conf

and then changed the path of the Page so that YQL caching can be avoided, unfortunately, YQL is not respecting the restrictions and still fetching page content even from the new paths / URls.

@Everyone, I would love share both the URLs (the one that shows content on our site and the YQL too), ours is a very high traffic website with great organic search results, I'm afraid those links from EE will appear in Google and I don't want our users to know this. Kindly suggest how can I send these links to a protected area or on your Email IDs.

One might say that EE solutions can't be seen since it's login protected, so let me tell you a bug on EE, when someone views a post on EE the solution is not shown and it says
This question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
but if you keep on scrolling, you'll view the replies i.e. suggest solutions

Just to prove this, in a browser where you are not logged on to EE go to Google and search
site:experts-exchange.com "Ubuntu 12.04 - Failed to download package files"

Click the search result in Google, it will take you to EE and then just keep on scrolling to view the answer.

Regards
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 39638614
Rather than send the URLs via email, you can post them with some mild obscuration such as Iconoun dot com.  Or you can reverse the domain name.  Anything like that can help you get eyes directly on the problem.  You'll get better targeted, less theoretical, answers if we can see what is actually going on.
0
 
LVL 58

Expert Comment

by:Gary
ID: 39638915
Is it possible they are using cached pages? I find it hard to believe that Yahoo would ignore your robots.

Use a URL shortener.
0
 

Author Closing Comment

by:practitioner
ID: 39710595
Thanks guys, Oliver and Ray gave the exact solution and I distributed the points between them. However, as you can see the later part of the thread the I found it is not iframe but yml, so I'm going to post another question and will invite you guys on it, I'll award points to Gary there for his help on yml issue.

EE rocks
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

New Relic: Our company recently started researching several products to figure out what were the best ways for us to increase our web page speed and to quickly identify performance problems that we may be having. One of the products we evaluated wa…
Foolproof security solutions has become one of the key necessities of every e-commerce or Internet banking website. If you too own an online shopping site then its vital for you to equip your web portal with customer security features that can allow…
This video teaches viewers how to create their own website using cPanel and Wordpress. Tutorial walks users through how to set up their own domain name from tools like Domain Registrar, Hosting Account, and Wordpress. More specifically, the order in…
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now