How to make the iframe block requests from certain domains?

Question

Is there an attribute for iframes that will make it block requests to certain domains? Something like the following:

<iframe src="www.example.com" block-domains="google.com"></iframe>

So if block-domains is that magical attribute I'm looking for, it's telling the iframe to block all requests to google.com.

Answer 1

As far as I know, it is not possible unless you have access to set response headers of the domain you want to load.

If you have access then you can set Content-Security-Policy response header to frame-src. It restricts what domains a page can load in an iframe.

For example: If the website at https://example.com has a response header of Content-Security-Policy: frame-src 'self' *.trusted.com. Then it is only possible to make requests to example.com and *.trusted.com domains inside iframe.

Answer 2

I believe the closest you can get to this is by setting X-Frame-options in the HEADER declaration. The documentation here states that you can provide any one of the 2 following options (the 3rd being obsolete):

• DENY : the iframe will not be displayed, regardless of the page trying to embedd it
• SAMEORIGIN : the iframe will only be displayed if called by a site having the same origin as the page itself (by checking the frame ancestors)

Another work around might be to use frame-ancestors as part of content security policy header, that will allow you to specify sites on which the iframe can be embedded.