Reputation: 1783
Is that possible to allow my page be framed, but only by the specified origin?
I am interested in this issue What exactly can an IFrame do with the top.Location object (cross-domain)?.
I want to find a way to defense Clickjacking recently, and I find this solution.
However, this solution will forbid any page to iframe my page, and what I want is to allow some site in the white list can iframe my page.
I know the Allow-From of X-Frame-Options can achieve my goal, but IE 6 and IE 7 doesn't support this feature.
Is that possible to allow my page be framed, but only by the specified origin?
UPDATE @Padrig Thanks for answering my question. I can't comment on your answer right now, so I have to edit my question.
I have try your solution, but it can't work.
http://www.b.com/poc/beframed.html
<script>
if (self === top) || (top.location.hostname == 'www.a.com')) {
alert(1);
}
</script>
http://www.a.com/poc/framer.html
<iframe src="http://www.b.com/poc/beframed.html"></iframe>
And my host file:
127.0.0.1 www.a.com 127.0.0.1 www.b.com
There is no alert in my Chrome browser.
Upvotes: 1
Views: 226
Answers (1)
Reputation: 193
For security reasons, Javascript doesn't allow one frame to access the properties of another frame in a different domain.
Yes it's possible, but but using document.referrer.
Upvotes: 1
Related Questions
- How to restrict an iframe to a specific domain
- Protecting iFrame - Only allow it to work on one domain
- Possible to prevent our website from running inside another domain's frameset or IFrame?
- Allow iframe links to target parent frames cross domain
- How can I prevent an iframe from accessing parent frame?
- Preventing frame busting with access to page source
- how to block FRAME src from other websites to our website
- How to limit display of iframe from an external site to specific domains only
- Frame breaker only for specific sites?
- How to forbid framing