0

I have a special page in a webserver that should only be shown when embedded inside a specific site as an iframe.

Using the Content-Security-Policy I can specify which sites are allowed as frame-ancestors, so putting it in an iframe in a disallowed site yields an error.

As desired putting it in the intended place in an iframe works and putting it in an unintended place gives an error.

What I want is to also show an error if the page is shown outside of any iframe.

I have not been able to find any CSP header or serverside way to achieve this.

How do I do this? Is there a serverside way to detect this (so I can return error content) or is this a frontend (javascript) thing only? If so, how do I detect this?

2
  • 1
    Don't think CSP can do this. Some other, unrelated website embedding your site as an iframe can be a security risk (deception), but I can't think of an attack the other way around. Anyway, you could check via JavaScript whether your page is the "top" page or not: stackoverflow.com/a/326076/23479232
    – Schraubstock1990
    Commented May 7 at 9:18
  • Yes the CSP is mainly about avoiding security problems and as you said running the page outside the intended iframe is not a security problem. My need is really to avoid usability problems. Thanks for the JavaScript pointers.
    – Niels Basjes
    Commented May 7 at 9:49
Related questions
1901
How do we control web page caching, across all browsers?
1221
How to apply CSS to iframe?
438
Frame Buster Buster ... buster code needed
Load 6 more related questions Show fewer related questions

0

Reset to default