Hi,
I need your higher level view on how doable and secure is this plan. We need to find a way to sell our research to specialised webistes, which will make it available to their clients via embedded iframes located in protected membership sections. Our website is fully static and can be easily embedded- no server calls and feeds are necessary – just plain loading of html.
Now – we want to offer a simple – very fast – plug and play type of content embedding into their websites. The content will be accessible via the iframes. They can theoretically place any part of our website into iframe to show it to clients where they need that. We will specify it on our server which domains can access our content via iframe using following code:
Header set X-Frame-Options: “ALLOW_FROM https://specificdomain.com”
Header set Content-Security-Policy: “frame-ancestors https://specificdomain.com”
We will also prevent each of the shared pages from being accessed directly (by putting url into search bar) – by redirecting page to homepage when accessed NOT through iframe:
<script language="Javascript"><!--
if (top.location == self.location) {
top.location = "index.html" // must be viewed in main index }
//--></script>
OR can client side page itself check it is loaded on allowed domain?
I wonder if the above solution is workable?