Block a domain or it's IP that shows our content in an IFrame
Hi,
We've a busy site (Drupal 6) and we are showing some information (this is something that can be considered as our Intellectual Property that doesn't come into public domain) to everyone without login or any protection, now there is a website which is showing our content in an iframe, I installed a module called Go Away (https://drupal.org/project/goaway) and banned this website's IP but it didn't help and it's still showing.
Then I blocked this IP and domain in CPANEL, this also didn't help, I'm wondering if a script is treated differently then a client like a browser? And this is why any blocking not working on it?
Kindly suggest a fix to block it, though we are in the process of sending them a legal notice we still want to block them.
We've a busy site (Drupal 6) and we are showing some information (this is something that can be considered as our Intellectual Property that doesn't come into public domain) to everyone without login or any protection, now there is a website which is showing our content in an iframe, I installed a module called Go Away (https://drupal.org/project/goaway) and banned this website's IP but it didn't help and it's still showing.
Then I blocked this IP and domain in CPANEL, this also didn't help, I'm wondering if a script is treated differently then a client like a browser? And this is why any blocking not working on it?
Kindly suggest a fix to block it, though we are in the process of sending them a legal notice we still want to block them.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi OliverPolden,
Yes, what you said is absolutely right, an iframe needs to be broken in my case and yes, the IP would be the of the person who is accessing and not of the website that is including it in the iframe src.
I implemented it but it didn't work at the target website, I suspect that it's because it's simply not a src, it's loaded dynamically through JQuery, here how this site implements this:
I'm not sure how to break this? Please help.
@nanharbison, thanks for the reply, unfortunately, this is not how we want to make it available, we want everyone to access it without any restriction if they are on our website.
Yes, what you said is absolutely right, an iframe needs to be broken in my case and yes, the IP would be the of the person who is accessing and not of the website that is including it in the iframe src.
I implemented it but it didn't work at the target website, I suspect that it's because it's simply not a src, it's loaded dynamically through JQuery, here how this site implements this:
function getData() {
if (trim(document.getElementById("txtmyvalue").value) == "") {
alert("Please enter a valid number.");
document.getElementById("txtmyvalue").focus();
}
else
if (trim(document.getElementById("txtmyvalue").value).indexOf("-") == -1) {
alert("Number should be in a valid format");
document.getElementById("txtmyvalue").focus();
}
else {
var container = $('#target');
var msg = $('#msg');
var url = "http://www.mydomain.com/mypath/" + trim(document.getElementById("txtmyvalue").value);
doAjax(url, msg, container);
}
return false;
}I'm not sure how to break this? Please help.
@nanharbison, thanks for the reply, unfortunately, this is not how we want to make it available, we want everyone to access it without any restriction if they are on our website.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Ray,
We've a managed dedicated server, I've raised a ticket to add:
Header always append X-Frame-Options SAMEORIGIN
I'll post update once it is done.
We've a managed dedicated server, I've raised a ticket to add:
Header always append X-Frame-Options SAMEORIGIN
I'll post update once it is done.
That should do it, but you could always take the "belt-and-suspenders" approach and put in the JavaScript. It would be especially useful if there are other parts of the site that depend on JavaScript :-)
ASKER
Hi Ray,
I'm wondering why JavaScript doesn't fire on the other website? I tried alert and everything to make sure it's working, but I guess it doesn't work and this is why document.write or innerHTML is not being replaced when self and top are not matching.
I'm still waiting for the Data Center's update
I'm wondering why JavaScript doesn't fire on the other website? I tried alert and everything to make sure it's working, but I guess it doesn't work and this is why document.write or innerHTML is not being replaced when self and top are not matching.
I'm still waiting for the Data Center's update
ASKER
I first tried a simple alert and no decision construct, it worked on my site and alert appeared but not on the other site where it is being loaded in iframe.
I'm not sure what is wrong with it?
I'm not sure what is wrong with it?
If nothing else works and knowing js will not run and you are more bothered about the IP content then set the IP content to no display. On page load use js to show it.
Of course you could do this to everything on the page, but I would be worried about the SEO aspect of this.
(Or are you saying all the content is IP?)
Edit.
Another thought, add an overlay div with a nice text to visit your real site and use js to remove it.
Combined with some of the other options Ray has mentioned you can cover all your bases.
Of course you could do this to everything on the page, but I would be worried about the SEO aspect of this.
(Or are you saying all the content is IP?)
Edit.
Another thought, add an overlay div with a nice text to visit your real site and use js to remove it.
Combined with some of the other options Ray has mentioned you can cover all your bases.
This is one case where checking the 'HTTP_REFERER' would be a good idea. If the REFERER is their web page or domain, just don't send any content.
ASKER
Since the javaScript not running when it is on the other domain, I started checking again and in firebug I found that it is yahooapis that they have used and get the data in xml format:
GET http://query.yahooapis.com/v1/public/yql?q=select * from html where url%3D%22http%3A%2F%2Fwww.mydomain.com%2Fmy-custom-path%2FAN0011-02-015%22&format=xml%27&callback=jQuery15206903208556229895_1384026595085&_=1384026614751
:-( so there is no iframe, this is why JavaScript things didn't work, now neither JS solution nor
Header always append X-Frame-Options SAMEORIGIN at apache will help.
How do I prevent yahooapis to query the site?
Thanks Gary for the great input, thanks Dave.
GET http://query.yahooapis.com/v1/public/yql?q=select * from html where url%3D%22http%3A%2F%2Fwww.mydomain.com%2Fmy-custom-path%2FAN0011-02-015%22&format=xml%27&callback=jQuery15206903208556229895_1384026595085&_=1384026614751
:-( so there is no iframe, this is why JavaScript things didn't work, now neither JS solution nor
Header always append X-Frame-Options SAMEORIGIN at apache will help.
How do I prevent yahooapis to query the site?
Thanks Gary for the great input, thanks Dave.
The overlay idea will still work as it relies on css only and then js at load to remove it (maybe)
http://developer.yahoo.com/yql/guide/limit_access_content_providers.html
Using robots.txt to block Yahoo Pipes 2.0
Using robots.txt to block Yahoo Pipes 2.0
You can detect if the website is being viewed by Iframe or not and then redirect to another page if Iframe is detected:
if (window != window.top)
{
location.href = "URL to redirect to if the user is seeing your page from Iframe...";
{
Since we were relying on the assertion that it was iFrame, we may have been off the mark on possible solutions. Please post the actual URL of the site in question and we can take a look at what is going on. Some screen shots would be helpful, too. The closer we can get to the SSCCE, the better.
ASKER
@Ray,
With due regards, I admit that this post is off track, the original issue that was posted to EE was breaking an iframe and I got two fantastic solutions, very first reply from OliverPolden and one from you. These two replies are the solution of iframe issue so to justify the points distribution I'll close this post by dividing the points between you and OliverPolden. I hope it's fair.
Now coming to the issue which I found later (my fault) that it's YQL and not iframe, I'll create another post and assign full points to GaryC123 who suggested a link to block YQL:
http://developer.yahoo.com
@Gary, thanks for the link. @Everyone thanks for your kind support, please read below:
We
1. Blocked Yahoo Pipes 2.0 in robots.txt
2. Blocked "Yahoo Pipes" user agent in .htaccess
3. Blocked "Yahoo Pipes" user agent in httpd.conf
and then changed the path of the Page so that YQL caching can be avoided, unfortunately, YQL is not respecting the restrictions and still fetching page content even from the new paths / URls.
@Everyone, I would love share both the URLs (the one that shows content on our site and the YQL too), ours is a very high traffic website with great organic search results, I'm afraid those links from EE will appear in Google and I don't want our users to know this. Kindly suggest how can I send these links to a protected area or on your Email IDs.
One might say that EE solutions can't be seen since it's login protected, so let me tell you a bug on EE, when someone views a post on EE the solution is not shown and it says
Just to prove this, in a browser where you are not logged on to EE go to Google and search
Click the search result in Google, it will take you to EE and then just keep on scrolling to view the answer.
Regards
With due regards, I admit that this post is off track, the original issue that was posted to EE was breaking an iframe and I got two fantastic solutions, very first reply from OliverPolden and one from you. These two replies are the solution of iframe issue so to justify the points distribution I'll close this post by dividing the points between you and OliverPolden. I hope it's fair.
Now coming to the issue which I found later (my fault) that it's YQL and not iframe, I'll create another post and assign full points to GaryC123 who suggested a link to block YQL:
http://developer.yahoo.com
@Gary, thanks for the link. @Everyone thanks for your kind support, please read below:
We
1. Blocked Yahoo Pipes 2.0 in robots.txt
2. Blocked "Yahoo Pipes" user agent in .htaccess
3. Blocked "Yahoo Pipes" user agent in httpd.conf
and then changed the path of the Page so that YQL caching can be avoided, unfortunately, YQL is not respecting the restrictions and still fetching page content even from the new paths / URls.
@Everyone, I would love share both the URLs (the one that shows content on our site and the YQL too), ours is a very high traffic website with great organic search results, I'm afraid those links from EE will appear in Google and I don't want our users to know this. Kindly suggest how can I send these links to a protected area or on your Email IDs.
One might say that EE solutions can't be seen since it's login protected, so let me tell you a bug on EE, when someone views a post on EE the solution is not shown and it says
This question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.but if you keep on scrolling, you'll view the replies i.e. suggest solutions
Just to prove this, in a browser where you are not logged on to EE go to Google and search
site:experts-exchange.com "Ubuntu 12.04 - Failed to download package files"
Click the search result in Google, it will take you to EE and then just keep on scrolling to view the answer.
Regards
Rather than send the URLs via email, you can post them with some mild obscuration such as Iconoun dot com. Or you can reverse the domain name. Anything like that can help you get eyes directly on the problem. You'll get better targeted, less theoretical, answers if we can see what is actually going on.
Is it possible they are using cached pages? I find it hard to believe that Yahoo would ignore your robots.
Use a URL shortener.
Use a URL shortener.
ASKER
Thanks guys, Oliver and Ray gave the exact solution and I distributed the points between them. However, as you can see the later part of the thread the I found it is not iframe but yml, so I'm going to post another question and will invite you guys on it, I'll award points to Gary there for his help on yml issue.
EE rocks
EE rocks
https://drupal.org/project/node_convert