I have a special page in a webserver that should only be shown when embedded inside a specific site as an iframe.
Using the Content-Security-Policy
I can specify which sites are allowed as frame-ancestors
, so putting it in an iframe in a disallowed site yields an error.
As desired putting it in the intended place in an iframe works and putting it in an unintended place gives an error.
What I want is to also show an error if the page is shown outside of any iframe.
I have not been able to find any CSP header or serverside way to achieve this.
How do I do this? Is there a serverside way to detect this (so I can return error content) or is this a frontend (javascript) thing only? If so, how do I detect this?
iframe
can be a security risk (deception), but I can't think of an attack the other way around. Anyway, you could check via JavaScript whether your page is the "top" page or not: stackoverflow.com/a/326076/23479232