daverich Posted May 2, 2019 Share Posted May 2, 2019 Hi, I need your higher level view on how doable and secure is this plan. We need to find a way to sell our research to specialised webistes, which will make it available to their clients via embedded iframes located in protected membership sections. Our website is fully static and can be easily embedded- no server calls and feeds are necessary – just plain loading of html. Now – we want to offer a simple – very fast – plug and play type of content embedding into their websites. The content will be accessible via the iframes. They can theoretically place any part of our website into iframe to show it to clients where they need that. We will specify it on our server which domains can access our content via iframe using following code: Header set X-Frame-Options: “ALLOW_FROM https://specificdomain.com” Header set Content-Security-Policy: “frame-ancestors https://specificdomain.com” We will also prevent each of the shared pages from being accessed directly (by putting url into search bar) – by redirecting page to homepage when accessed NOT through iframe: <script language="Javascript"><!-- if (top.location == self.location) { top.location = "index.html" // must be viewed in main index } //--></script> OR can client side page itself check it is loaded on allowed domain? I wonder if the above solution is workable? Link to comment Share on other sites More sharing options...
Funce Posted May 2, 2019 Share Posted May 2, 2019 I wouldn't recommend iframes, they're quite old. And they do weird things. Alternative Below, skip post if not interested. ALTERNATIVE May I suggest JavaScript widget generation? It'll be lightweight and easier to control. The src will have a customer key that can be verified to make sure its being requested by the correct website. You might be able to create a settings area so that your customers can whitelist their domain for their account. You'll just need to make sure that the file_that_generates_widget.js is served with a cross-origin-header of * as well. <!--Start of Widget Script--> <script> (function(){ var s1=document.createElement("script"),s0=document.getElementsByTagName("script")[0]; s1.async=true; s1.src='https://yourdomain.com/file_that_generates_widget.js?customerID=uniqueKey'; s1.charset='UTF-8'; s1.setAttribute('crossorigin','*'); s0.parentNode.insertBefore(s1,s0); })(); </script> <!--End of Widget Script--> Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now