How to allow iframe embedding only for whitelisted websites?

php html forms iframe referer
Mr. B. picture Mr. B. · Sep 14, 2016 · Viewed 25.2k times · Source

I've a form that I'd like to embed in a website, which is on my whitelist.

Other websites, that try to embed it, should get only an error page. 

<iframe src="https://domain.tld/getForm.php?embed=1&formId=123456"></iframe>

I was hoping that I could use $_SERVER['HTTP_REFERER'] in getForm.php to check the embeding website, but it's not working.

Does anyone know a best practise or any workaround?

Thanks in advance!

Answer

Josh Mc picture Josh Mc · Jan 13, 2020

Content Security Policy headers are now the recommended approach.

Example from MDN:

// iframe can be embedded in pages on the origin and also on https://www.example.org
Content-Security-Policy: frame-ancestors 'self' https://www.example.org;

For more details see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

Related questions

How to read if a checkbox is checked in PHP?

How to read if a checkbox is checked in PHP?

Read More
Get $_POST from multiple checkboxes

I have 1 form in with multiple checkboxes in it (each with the code): <input type="checkbox" name="check_list" value="<? echo $row['Report ID'] ?>"> Where $row['Report ID'] is a primary key in a database -so …

Read More
How to prevent form resubmission when page is refreshed (F5 / CTRL+R)

I have a simple form that submits text to my SQL table. The problem is that after the user submits the text, they can refresh the page and the data gets submitted again without filling the form again. I could …

Read More