Any config tricks to stop site from framing us?

Branden Visser mrvisser at gmail.com
Tue Dec 3 21:56:50 UTC 2013


Sorry I misinterpreted your question. The header does not support
specifying specific hosts, for example, that you want to allow
iframing from.

Using the JavaScript technique, perhaps something could be done to
ensure window.parent.location.href matches some pattern or list of
hosts. I haven't implemented anything like that before, though.

Hope that helps,
Branden

On Tue, Dec 3, 2013 at 4:49 PM, Branden Visser <mrvisser at gmail.com> wrote:
> On Tue, Dec 3, 2013 at 4:46 PM, Ian Evans <ianevans at digitalhit.com> wrote:
>> On 2013-12-03 16:32, Branden Visser wrote:
>>>
>>> If they're using an iframe rather than a proxy then IP tricks won't help.
>>>
>>> Using the X-FRAME-OPTIONS header is probably your best bet [1]
>>>
>>> Hope that helps,
>>> Branden
>>>
>>> [1]
>>>
>>>
>>> http://stackoverflow.com/questions/2896623/how-to-prevent-my-site-page-to-be-loaded-via-3rd-party-site-frame-of-iframe
>>
>>
>> Thanks. Just did a cursory look, but does the header allow some sites to
>> frame? e.g. letting stumbleupon do it but not others?
>>
>
> No I don't believe that's the case. If the browser supports it, it
> *should* stop anyone from iframing, but you're under the mercy of the
> browser implementation AFAIK -- so maybe Google's Chrome has some big
> money deals with service providers like stumbleupon, for example (pure
> speculation). There are other options listed in there such as
> JavaScript tricks to verify the "self" frame is the same as the
> "parent" frame. So you can also have a secondary check like that.
>
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx



More information about the nginx mailing list