Geek Answers Handbook

Check if the website allows iframe embedding

I am writing a simple lightbox plugin for my application, and I need to embed an iframe that is associated with an arbitrary page. The problem is that many websites (like facebook , nytimes, and even stackoverflow) will check to see if they are embedded inside the frame, and if so, they refresh the page as the parent page. This is a known issue, and I do not think that something can be done about this. However, I would like to know in advance if the site supports embedding or not. If this is not the case, I would like to open the page in a new tab / window instead of using an iframe.

Is there a trick that allows me to test this in javascript?

Perhaps there is a server side script that can check links to see if they allow iframes to be embedded?

I am developing a browser extension, so there is the opportunity to do something very creative. My extension is loaded onto every page, so I think there is a way to pass a parameter to the iframe url that the extension can select if it destroys the iframe. Then I can add the domain to the list of sites that do not support iframe embed. This may work because extensions are not loading inside the iframe. I will work on it, but in the meantime ....

Clarification:

I agree that there is no way to "enumerate" the "frame", i.e. I know that I cannot display a page in an iframe that does not want to be in one. But I want my application to fail, which means opening the link in a new window if iframe embed is not supported. Ideally, I would like to check iframe embed support at runtime (javascript), but I see a potential server solution using a proxy server, as suggested in the comments above. I hope I can create a database of sites that do not allow iframes to be embedded.

+8
javascript jquery google-chrome-extension iframe embed
source share
3 answers

Check the x-frame options header using the following code

$url = "http://stackoverflow.com"; $header = get_headers($url, 1); echo $header["X-Frame-Options"];

If the return value is DENY, SAMEORIGIN, or ALLOW-FROM, you cannot use an iframe with this URL.

+6
source share

Probably pretty late, but you need to make a request, probably from your server, and look for a header with x-frame options. If it is there at all, you can simply open a new tab, because if it is, it is one of the following: DENY, SAMEORIGIN, ALLOW-FROM. In any of these cases, you probably do not have access to open it in an iframe.

+2
source share

This question was discussed forever on the Internet with a particularly interesting (unsuccessful) attempt:

Buster Buster frame ... wrestler code needed

The bottom line is that even if you can create a proxy server that analyzes the content of the page you want in your iframe and removes the violation code before it is sent to the iframe, you can still β€œstop and desist” with site if they find out how you do it.

If you do not want your development to be widely available, you would probably be able to cope with it. If you want your development to become popular, forget about it and create a less simple way to deal with it.

Or design it only for mobile devices ...;)

UPDATE: OK, following the following from your comment here is a little taster:

in javascript lock click on link

 $("a").click(function(e){ preventDefault(e); // make sure the click doesn't happen // call a server side script using ajax and pass the URL this.href // return either a true or false; true = iframe breakout // set the target attribute of the link to "_blank" for new window (if true) // set the target attribute of the link to "yourframename" for iframe (if false) // only now load the page in the new window or iframe });

server side in PHP

 $d = file_get_contents($url); // $url is the url your sent from the browser // now parse $d to find .top .parent etc... in the <head></head> block // return true or false
+1
source share

More articles: