How to Block Iframe call

You can set the variable in the header X-Frame-Options: Deny.

All modern browsers support the X-Frame-Options header.

The Facebook uses this header to disable iframe/framesets (also Javascript).

If you have enabled the mod_headers in apache:

.htaccess

Header set X-Frame-Options DENY

But, you can enable iframes come from the same origin.

Header always append X-Frame-Options SAMEORIGIN

Or in Nginx:

add_header X-Frame-Options Deny; #or SAMEORIGIN

Browser compatibility: Source

Internet Explorer: 8.0
Firefox (Gecko): 3.6.9 (1.9.2.9)
Opera: 10.50
Safari: 4.0
Chrome: 4.1.249.1042

I don't think you can through .htaccess, you can use JS however. You can use a function like this one to check:

function parentIsSameOrigin()
{
    var result = true;
    if (window.parent)
    {
        result = Boolean
        (
            // more precise modifications needed here
            window.this.location.href.indexOf(window.parent.location.href) == 0
        );
    }
    return result;
}

You can't "enforce" it per-say since there are ways around, but you can use the standard header method. html5-boilerplate has a nice vhost/htaccess snippet that first sets X-Frame-Options as your choice of DENY/SAMEORIGIN/ALLOW-FROM, and then allows whitelist MIME types for use in good frames such as Google image search.

Check the link for latest, but here is the example from Jan 25 2016 in SAMEORIGIN mode:

<IfModule mod_headers.c>

     Header set X-Frame-Options "SAMEORIGIN"

     <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
         Header unset X-Frame-Options
     </FilesMatch>

</IfModule>

How to Block Iframe call

Related

Recent Posts