Reputation: 4663
Bypassing iframe sandbox?
Someone iframing my website, using
<iframe src="http://example.org" sandbox=""></iframe>
This way, the sandbox attribute prevents my site to use iframe blocker on it. And it can be easily iframed.
Frame buster on my website:
if (window.top !== window.self) window.top.location.replace(window.self.location.href);
Is there a programmatic way to redirect to my site when its being iframed when used with sandbox attribute ?
Upvotes: 26
Views: 7214
Answers (4)
Reputation: 2748
@SudiptaKumarMaiti's answer of X-Frame-Options works, but is being superseded by Content Security Policy (CSP) Level 2 - specifically the frame-ancestors directive.
To disallow framing completely (similar to X-Frame-Options: DENY), use this HTTP header:
Content-Security-Policy: frame-ancestors 'none';
Upvotes: 1
Reputation: 1709
Iframing can be protected through the X-Frame-Options response header, set either X-Frame-Options value="DENY" or X-Frame-Options value="SAMEORIGIN". Through this response header settings you can protect your website against IFraming or clickjack attack.
Once X-Frame-Options response header is set, browser receives a standard message like "This content cannot be displayed in a frame".
Upvotes: 18
Reputation: 7408
I think the best thing you can do is show your own message with a target="top" link. The whole concept of the sandbox attribute is to disallow redirects. There is no way to bypass that and if you ever find one browser makers will probably find a way to stop it. It's clearly their intention.
This is just how the web works. You can't do whatever you want when it comes to browsers.
Upvotes: 2
Reputation: 2771
The sandbox attribute is turning off all javascript, amongst other things. This is why your frame buster will not be working, nor any other javascript people have provided.
W3 say of a sandbox:
- scripts are disallowed/disabled within the iframe
- links to other browsing contexts are disallowed/disabled within the iframe
A test shows that the attribute also disables meta redirects and any standard link which breaks out of the iframe.
With this strictness, I'd be very surprised if a redirect is possible, since that would defeat the point of the sandbox.
The best I can suggest would be to use the noscript tag to display a message to users seeing the page in a sandboxed iframe. You could style that so people can't see your content.
(If it is just one site being a problem, then blocking them with htaccess would probably be a better approach)
Upvotes: 11
Related Questions
- Iframe sandboxing with 'allow-same-origin' flag error
- How can an iframe remove its own sandboxing?
- How to use "hidden" Sandbox in iframe?
- Create sandboxed iFrame via jQUery
- iframe setting content
- Run Javascript/jQuery inside iframe
- Work with javascript from iframe
- HTML: iframe sandbox alternatives
- Sandboxing content in an IFRAME, on the client side
- Using an iframe for sandboxing?