How to block pop-up coming from iframe?

If you are wanting to block something like POP up ads or something coming from a website you are showing in an IFRAME - it's fairly easy.

Make a framefilter.php and javascriptfilter.php which your iframe points to. You can modify it to meet your needs such as the onload blah blah and etc. But as/is - it's been working fine for me for quite a while. Hope it helps.

Replace your standard IFRAME HTML with this:

    <IFRAME SRC="http://www.yourdomainhere.com/framefilter.php?furl=http://www.domainname.com" WIDTH=1000 HEIGHT=500>
If you can see this, your browser doesn't 
understand IFRAMES. However, we'll still 
<A HREF="http://www.domainname.com">link</A> 
you to the page.
</IFRAME>

Framefilter.php

        <?php

//Get the raw html.
$furl=trim($_GET["furl"]);
$raw = file_get_contents($furl);

$mydomain="http://www.yourdomainhere.com/";

//Kill anoying popups.
$raw=str_replace("alert(","isNull(",$raw);
$raw=str_replace("window.open","isNull",$raw);
$raw=str_replace("prompt(","isNull(",$raw);
$raw=str_replace("Confirm: (","isNull(",$raw);

//Modify the javascript links so they go though a filter.
$raw=str_replace("script type=\"text/javascript\" src=\"","script type=\"text/javascript\" src=\"".$mydomain."javascriptfilter.php?jurl=",$raw);
$raw=str_replace("script src=","script src=".$mydomain."javascriptfilter.php?jurl=",$raw);

//Or kill js files
//$raw=str_replace(".js",".off",$raw);

//Put in a base domain tag so images, flash and css are certain to work.
$replacethis="<head>";
$replacestring="<head><base href='".$furl."/'>";
$raw=str_replace($replacethis,$replacestring,$raw);

//Echo the website html to the iframe.
echo $raw;

?>

javascriptfilter.php

<?php

//Get the raw html.
$jurl=trim($_GET["jurl"]);
$raw = file_get_contents($jurl);

//Note, if trickyness like decode detected then display empty.
if(!preg_match("decode(", $raw)){

//Kill anoying popups.
$raw=str_replace("alert(","isNull(",$raw);
$raw=str_replace("window.open","isNull",$raw);
$raw=str_replace("prompt(","isNull(",$raw);
$raw=str_replace("Confirm: (","isNull(",$raw);

//Echo the website html to the iframe.
echo $raw;

}

?>

Quite an old ask, but I thought I'd offer a newer solution since this is the top result in google.

If you want to block an iframe from opening windows, you can use the new HTML5 "sandbox" attribute on your iframe.

https://developer.mozilla.org/en/docs/Web/HTML/Element/iframe

This should keep it from doing anything (except running javascript which may be required for the page to function correctly):

<iframe sandbox="allow-scripts" src="your/url/here"></iframe>

I don't think this is possible.

  • first (and most importantly), if the iframe is in a different domain, you can't change its DOM - such as the onunload handlers. If this is the case, the other two issues are moot.
  • second, even if you could, you'd have to remove the listener in some way. If the listener is loaded via window.onunload, that would be simple; otherwise, not so much.
  • third, in the long term this would lead to the same arms race as the frame-busting-busters

The only possibility I see is non-technical in nature: check with whoever runs that site inside the iframe if they could make a special page for you, one without such onunload popup. In most cases, either

  • a) some special arrangement can be made (although not always for free), or
  • b) removing the functionality would be a violation of the ToS, in which case you'd have to look for someone else providing similar functionality, without the pop-ups (and realistically, most services have more than a single provider)

Actually, this is possible. Well at least in many cases. Often, the code in the iframe will be running something like top.window.open(...) to open a pop-up. You can redefine the window.open method so it still exists, but doesn't open a window. E.g.:

` window.alias_open = window.open;

window.open = function(url, name, specs, replace) { // Do nothing, or do something smart... } `

If you still want some pop-ups to open, you can whitelist urls within the body of window.open, and call alias_open as needed.


Setting the sandbox attribute on the IFrame element should work.