There are several advantages and disadvantages of IFRAME. We are going to see some of that which is important. We will also learn about what the “X-Frame-Options” is and how to handle that.
IFRAME enable you to load external website or HTML page within your webpage. Most of the website and pages can run inside of the IFRAME. It has properties which enable you to customize its content like frameborder, scrolling etc. Earlier we can load any type of website in IFRAME but as popularity of IFRAME is increased new vulnerabilities like Cross Site Request Forgery (CSRF) also known as ClickJacking and Cross-Site-Scripting(Xss) and Cross-Site-Scripting(Xss) are came in picture.
Do’s: Always try to load same domain page in IFrame. Loading difference domain or sub-domain may not load all functionality or may harm your site.
To prevent these types of vulnerabilities new browser introduces security patches. One of them is “X-Frame-Options”. When browser loads website in an IFRAME first it checks for site domain that this option is available in header or not. If this option not found in header then it allow IFRAME to load given site. If browser found this value then it checks for its value. Generally header values are in key –value pair. There are two values found in “X-Frame-Options”. First is “DENY” and second is “SAMEORIGIN”. Figure 1 display the value.
“DENY” means this website is not allowed to load in IFRAME. If you don’t want anyone to load your site in any IFRAME then you can set values in header (X-Frame-Options:DENY) . See screen shots of IE-9 (Figure 2) and Chrome (Figure 3) security which block this type of loading.
“SAMEORIGIN” means the website content is allowed for same domain.
If such cases if you want to load any website in IFRAME then first you need to check header for that site. The code for checking header value of any site is given below.
C# function that retrieve specific header value
string responseFromServer = “”;
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(link);
request.Method = “POST”;
byte byteArray = System.Text.Encoding.UTF8.GetBytes(parameter);
request.ContentType = “application/x-www-form-urlencoded”;
request.ContentLength = byteArray.Length;
Stream dataStream = request.GetRequestStream();
dataStream.Write(byteArray, 0, byteArray.Length);
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
if (HttpStatusCode.OK == response.StatusCode)
dataStream = response.GetResponseStream();
StreamReader reader = new StreamReader(dataStream);
responseFromServer = reader.ReadToEnd();
php function that retrieve specific header value
$url = ‘http://www.google.com/’;
$res_arr = getResponseHeader($url);
(Note: Framing third-party information into another web page raises issues of copyright so please make sure that you are not in website copyright criteria)
By, Dharmendra Mistry