All geek questions in one place

Different ways to embed a page

We provide a third-party site to customers. Often, when we process RFP, we are asked if it is possible to implement our site on our client site. Many of our potential customers have unusual restrictions or requests, such as "do not use iframes".

To this end, I was asked to make sure that our upcoming redesign of our site makes it practical for implementation on client sites in at least two ways.

Ways to embed a full-fledged website (as opposed to an image with a cross-site image or part of static content) inside another:

  • iframe - Much is used, often faked, and some of our previous RFPs specifically excluded this as an opportunity.

  • Object / Insert tags - going back, you can embed a full-featured HTML page into another one just like you insert a flash object.

  • Ajax is supposedly capable of loading a complete site into an HTML object (such as a div tag), but there seem to be additional security hoops to jump because of the danger of cross-domain requests.

Are there other ways to host a complete site in another from another domain? Are there any warnings or restrictions for any of the above three (for example, our site uses AJAX calls to log in and update some user parameters, will they all function correctly in each of the above embedding strategies?), What could I would not know?

Thanks in advance.

+5
source share
1 answer

X-Frame-Options Response Header

If you embed your site on another user's site, you should be careful with the X-Frame-Options response header . Make sure your site does not send SAMEORIGIN as the value for X-Frame-Options . If you do this, it will cause problems for iframes and embedded objects . You can do two things:

  • You absolutely do not send the title:. Any site will be able to display your site in an iframe or as an embedded object. This can cause security issues such as clickjacking . See this article for more information and click protection.

  • You can make sure that only the site you are logging into can embed your site: This is done by sending the ALLOW-FROM url value for the X-Frame-Options header. You can sniff an HTTP referer to determine which site is requesting your page. This is actually safer than option 1 (unless, of course, the user's browsers are malicious). NOTE. Not all fans support ALLOW_FROM . See related link for supported browsers

Same origin policy

The same origin policy will not affect you because your site and your customers site do not have access to each other DOM.

CORS

"Sharing resources for different sources" should be considered if the script from your client page makes an AJAX ( XmlHttpRequest ) request for resources on your site. But as far as your question is concerned, I do not think this is not so.

I gave an answer explaining CORS some time ago , you can read it if you want a basic understanding of CORS.

Third party plugins

It looks like you are trying to implement some features on a customers site. Consider creating site plugins such as Facebook and Disqus does.

I am not sure if the policy of the same origin or CORS applies here. I will find it and get back to you.

Note. X-Frame-Options , policies of the same origin and CORS are implemented by browsers. You canโ€™t do anything if the user's browser doesnโ€™t implement these things or if the browser is hacked so as not to abide by these security policies.

+4
source

Source: https://habr.com/ru/post/1204191/

More articles:


All Articles