Jump to content

Providing research via iframes to specific domains


daverich
 Share

Recommended Posts

Hi,

I need your higher level view on how doable and secure is this plan. We need to find a way to sell our research to specialised webistes, which will make it available to their clients via embedded iframes located in protected membership sections. Our website is fully static and can be easily embedded- no server calls and feeds are necessary – just plain loading of html.

Now – we want to offer a simple – very fast – plug and play type of content embedding into their websites. The content will be accessible via the iframes. They can theoretically place any part of our website into iframe to show it to clients where they need that. We will specify it on our server which domains can access our content via iframe using following code:

Header set X-Frame-Options: “ALLOW_FROM https://specificdomain.com”

Header set Content-Security-Policy: “frame-ancestors https://specificdomain.com”

We will also prevent each of the shared pages from being accessed directly (by putting url into search bar) – by redirecting page to homepage when accessed NOT through iframe:

  <script language="Javascript"><!--

if (top.location == self.location) {

  top.location = "index.html" // must be viewed in main index }

//--></script>

 

OR can client side page itself check it is loaded on allowed domain?

 

I wonder if the above solution is workable?

Link to comment
Share on other sites

I wouldn't recommend iframes, they're quite old. And they do weird things. Alternative Below, skip post if not interested.

 

ALTERNATIVE

May I suggest JavaScript widget generation? It'll be lightweight and easier to control.

The src will have a customer key that can be verified to make sure its being requested by the correct website.
You might be able to create a settings area so that your customers can whitelist their domain for their account.
You'll just need to make sure that the file_that_generates_widget.js is served with a cross-origin-header of * as well.

<!--Start of Widget Script-->
<script>
  (function(){
  var s1=document.createElement("script"),s0=document.getElementsByTagName("script")[0];
  s1.async=true;
  s1.src='https://yourdomain.com/file_that_generates_widget.js?customerID=uniqueKey';
  s1.charset='UTF-8';
  s1.setAttribute('crossorigin','*');
  s0.parentNode.insertBefore(s1,s0);
  })();
</script>
<!--End of Widget Script-->

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...