'Show message when framed .htaccess

I'm trying to show an error message when another site attempt to iframe my site. I'm using .htaccess:

Header set X-Frame-Options DENY

However, this just creates a blank page, without the iframe. Is it possible to display an error message, instead of just a blank screen?

Update

I am not looking for any JavaScript solutions

htmlapache.htaccess


Solution 1:[1]

You can display custom error page with your message.

ErrorDocument 403 /access.html

For More Details:1. http://www.hostingmanual.net/fun-with-htaccess-tutorial-examples/

  1. http://www.hostingmanual.net/custom-error-messages-htaccess/

Solution 2:[2]

iframes are handled by browser.

The client decides whether to display the content of the iframe or not and whether to honor the SAMEORIGIN options.

Even when you use .htaccess the server doesn't know the difference between page request coming for the whole page, like someone visit page directly or from iframe.

What you can do is to check for HTTP_REFERER. Check this sample I haven't tested it but idea is to block page from getting accessed from anywhere other than your own website.

RewriteEngine On

RewriteCond %{QUERY_STRING} !^id=[^&]+ [NC]
RewriteCond %{HTTP_REFERER} !^http://your-website.com
# then redirect to a different page
RewriteRule !^start start [L,NC,R=302]

But as I mentioned earlier HTTP_REFERER its is not 100% reliable solution and can be spoofed. But well anything on internet is not 100% reliable.

Solution 3:[3]

You can use mod_rewrite or <if> to check the referrer (it's the enclosing page in the case of an iframe) and redirect entire sections of your site to a static file.

Here's one of many possible starter recipes to check against a list of acceptable referer domains:

RewriteEngine ON RewriteCond %{REQUEST_URI} !iframe_err.html RewriteCond %{HTTP_REFERER} !^($|http[s]://(www.)?mydomain.com) RewriteRule .* /iframe_err.html

Solution 4:[4]

HTML

<!DOCTYPE html>

<html lang=en>
    <head>
        <title>Blocking iFrame with JS</title>
    </head>
    <body>
        <p>page content</p>

        <script src='iframe/blocker.js'></script>
    </body>
</html>

JS

if (window.top !== window.self) window.top.location.replace(window.self.location.href);

Notice: This JS code redirects to parent page (where the iFrame sits) - Of course you could also use the solution of covener, his solution to your problem is very interesting :)

More Information about why it is bad if your page was 'iframed' on the source page

Requirements: JavaScript enabled

Downside: I wouldn't recommend this, since the attackers have all of the same tools you do, and they can use sandboxing to prevent you from running JavaScript or redirecting the window

Source: https://www.tinfoilsecurity.com/blog/protect-your-website-from-embedded-content-iframe-security

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Glorfindel
Solution 2 GeekAb
Solution 3 covener
Solution 4

Related Questions