Redirection based on an iframe on an external site 1

[spamjim]

Another web site has framed my company's site in theirs without our consent. The other site is pretending to be associated with ours.

I can break our site out of their frameset with simple javascript but I'd like to go a step further and present an alert to the visitor that the rogue site is not related to my company.

So I tried detecting for http_referer.

if ($_SERVER['HTTP_REFERER']=="[URL unfurl="true"]http://www.theroguesite.com")[/URL] {
	header("Location: [URL unfurl="true"]http://www.oursite.com/alertmessage.php");[/URL]
	exit;	
}

I understand that http_referer is not a perfect solution as not all browsers send this data. I'm not having success with MSIE. Every other major browser appears to handle this.

Can anyone suggest another way to detect if the site is being contained in an iframe from a particular domain?

 

[jpadie]

can't you use js to compare top==self and if they are not the same then reload the content with some suitably damning verbage (instead of breaking out)?

i do not know a way to do this reliably in php as the referrer attribute is completely arbitrary for most browsers.

i suppose a work around is to stop delivering your site via the normal means and instead deliver a javascript loader which either pulls in your proper site or some message. cookies might form the server side mechanism for this. however any kind of frame busting might stop your site being effectively tagged in facebook etc.

 

[spamjim]

I'm not sure if javascript is any more reliable for detecting the referer but here is how I've found to do the same action as the PHP above via js:

<SCRIPT LANGUAGE="JavaScript">
<!-- Begin
var refarray = new Array();
refarray['theroguesite.com'] = "alertmessage.php";
refarray['anotherroguesite.com'] = "alertmessage.php";
for (var i in refarray) {
if (document.referrer.indexOf(i) != -1) window.location.replace(refarray[i]);
}
//  End -->
</script>

Personally, I prefer the PHP method so we don't expose the domains we find unsavory in our client side code.

Regarding "breaking out": The intent is to also get the visitor off of the rogue web site. We want to take over their browsing experience so that they only see our site because that is what they were seeking.

 

[spamjim]

...and to clean up the PHP for anyone passing by later, it should probably look like this to handle any referring URL from that domain:

if(strpos($_SERVER['HTTP_REFERER'], 'theroguesite.com' )) {
	header("Location: [URL unfurl="true"]http://www.oursite.com/alertmessage.php");[/URL]
	exit;
}

 

[jpadie]

you don't need to expose anything in the client side code, assuming that you do not want _any_ kind of framing. Just test to see whether top == self.

if you allow some framing but not others then suggest to your authorised framers that they use a mechanism to obtain a dynamic key for each session and then include that key in the frame's url

 

[spamjim]

Yep - we've got a few 'allowed' framers and their ability to tweak their site is limited... so I'm stuck with crude solutions.

 

[jpadie]

then use the solution I proposed of getting authorised framers to use a dynamic key for each session.
this could be provided by your site or could be a cypher based on a preshared salt and the current UTC. you could then allow all requests within, say, ten seconds of the cyphered time.