More Group Sites
Education Books
School Rankings
Jobless Net
Better Home
Enviro++
更好教育论坛


Help | Subscribe/Unsubscribe | Rules | Other Group Sites: Better Education | Better Education Forum
Welcome Guest! To enable all features please Login or Register.

Notification

Icon
Error

Share
Options
View
Go to last post Go to first unread
hong  
#1 Posted : Tuesday, 21 June 2016 9:23:42 AM(UTC)
hong

Rank: Administration

Reputation:

Groups: AcademicCoachingSchool, admin, Administration, BookSeller, CatholicSchool, CoachingAdult, CoachingProfessional, CoachingSports, ExtraCurriculumCoaching, IndependentSchool, Moderator, MusicTeacher, PrivateSchool, PublicSchool, SelectiveSchool, tutor
Joined: 23/11/2008(UTC)
Posts: 519

How to prevent your site to be loaded via 3rd party site frame / iframe - X-FRAME-OPTIONS

1. Javascript to detect it after the page has loaded. Compare top and self, if they're not identical, you are in a frame.
Code:
<script>
	if (window!= top) // if your website window is not top
		top.location.href=location.href
</script>


This is equivalent to DENY in X-FRAME-OPTIONS, see below. It doesn't have other options but DENY all on a page.

2. Additionally, modern browsers support the X-FRAME-OPTIONS header with three values:

1) DENY – prevents the page from being rendered if it is contained in a frame, ie. The page cannot be displayed in a frame.
2) SAMEORIGIN – The page can only be displayed in a frame on the same origin as the page itself. In other words, it's same as above, unless the page belongs to the same domain as the top-level frameset holder.
3) ALLOW-FROM uri - The page can only be displayed in a frame on the specified origin.

The the minimum versions of browsers that support the header:
IE8
Opera 10.50
Safari 4
Chrome 4.1.249.1042
Firefox 3.6.9

You can use HTTP Header Field X-Frame-Options in the site wide configuration web.config. This approach is not recommended[1], Better to do it on page level rather than site level,
Code:
    <httpProtocol>
      <customHeaders>
        <clear/>
        <add name="X-Frame-Options" value="SAMEORIGIN" />
        <!--<add name="X-UA-Compatible" value="IE=EmulateIE7"/>-->
        <add name="X-UA-Compatible" value="IEIE=edge,chrome=1"/>
      </customHeaders>
    </httpProtocol>



Notes:
if not working, check whether X-UA-Compatible is set to an old browser version in html header or server configuration. See the example above to fix it.

X-Frame-Options header may contain one of three tokens mentioned above. This token must be sent as a HTTP Header named X-FRAME-OPTIONS on HTML responses to restrict how the page may be framed, and the directive will be ignored if found in a META HTTP-EQUIV tag <meta http-equiv="X-Frame-Options" content="deny">

If a page specifies SAMEORIGIN, browsers will forbid framing only if the top-level origin FQDN (fully-qualified-domain-name as shown in the browser address bar) does not exactly match FQDN of the subframe page that demanded the SAMEORIGIN restriction.

Best Practices
1) Send the content as an HTTP Header – the directive is ignored if specified in a META tag
2) Use X-Frame-Options on critical configuration pages or other pages that require an “authentic user click”
3) Don’t use "SAMEORIGIN” if you have any page on your domain which accepts an arbitrary URL to frame

[1] https://blogs.msdn.micro...ng-with-x-frame-options/

Edited by user Thursday, 13 October 2016 6:04:33 AM(UTC)  | Reason: Not specified

Sponsor
hong  
#2 Posted : Wednesday, 12 October 2016 5:23:12 PM(UTC)
hong

Rank: Administration

Reputation:

Groups: AcademicCoachingSchool, admin, Administration, BookSeller, CatholicSchool, CoachingAdult, CoachingProfessional, CoachingSports, ExtraCurriculumCoaching, IndependentSchool, Moderator, MusicTeacher, PrivateSchool, PublicSchool, SelectiveSchool, tutor
Joined: 23/11/2008(UTC)
Posts: 519

Updated

Rss Feed  Atom Feed
Users browsing this topic
Guest
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.