Reputation: 57
How to prevent iframe from processing url's from an outside domain?
I'm working on a project where I need to restrict the iframe from displaying any url that we put in it other than the original domain.
for example, my website is www.myweb.com. having an iframe src="www.yourweb.com" should prevent anything to continue.
I have tried to use the frame-ancestor option in Content-Security-Policy. And X-Frame-Option to SAMEORIGIN/DENY. To no avail, nothing worked.
Any ideas?
Upvotes: 0
Views: 784
Answers (2)
Reputation: 53
you can look at - https://developers.facebook.com/docs/messenger-platform/webview/extensions
especially
X-Frame-Options: ALLOW-FROM https://www.messenger.com/ X-Frame-Options: ALLOW-FROM https://www.facebook.com/
Upvotes: 0
Reputation: 853
In general, the Content-Security-Policy: frame-ancestors 'self' should work, but it depends on an end-user browser. See Headers to block iframe loading for details and try both HTTP headers as described there.
Upvotes: 1
Related Questions
- How to restrict an iframe to a specific domain
- How to restrict my site to be used from other sites by iframe in ASP.NET
- javascript - bypassing iframe cross domain security
- How to limit display of iframe from an external site to specific domains only
- Intercepting http requests made from an iframe which contains HTML content from seperate domain
- How to realize cross-domain security with iFrame custom website under the sharepoint website
- Load iframe on specific domains only
- Request.Url when in an iFrame?
- iframe security
- Security error in cross domain iframe