Reputation: 10240
How to prevent access to web app that is intended for embedding?
I have a web app http://embed.myapp.com that is intended to be embedded on a few whitelisted sites. The frame access is controlled with X-Frame-Options ALLOW-FROM
However, I do not want users to access it by putting in the above link directly in the web browser.
What is the best way to block plain (non-embedded) access?
I can determine whether the site is embedded with javascript, but by that point a session is already created and certain sensitive information such as CSRF tokens can be seen.
Upvotes: 0
Views: 50
Answers (1)
Reputation: 6484
You may not quite get an absolutely foolproof way of stopping users from looking at the content directly.
A simple way to catch most cases would be to look at the referer header ( http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html section 14.36) on the server side and only serve the content when it is referred from the correct pages.
Upvotes: 1
Related Questions
- How to safely allow embed content?
- How to restrict who can iframe embed my web app?
- Security in embedded javascript and HTML
- Embed other site in “safe” way
- How to secure an app that allows users to insert JavaScript?
- ensure embed code (iframe) is only used on customer web sites
- how do i prevent the user from openning my webapp outside of an iframe?
- How can I embed my web application
- Only allow access of FIle From embed
- javascript on twitter to prevent embedding the html page