View previous topic :: View next topic |
Author |
Message |
Vieri l33t
Joined: 18 Dec 2005 Posts: 887
|
Posted: Sun Oct 18, 2020 10:24 pm Post subject: [SOLVED] HTTP: open frame from specific domains |
|
|
Hi,
I have a PHP script on an Apache server. I want it to be loaded ONLY as a frame and only from specific domains.
I have this in the script:
Code: | header("Content-Security-Policy: frame-ancestors https://*.mydomain.org:* https://*.myotherdomain.org:*"); |
Am I wrong if I state that I shouldn't be able to call this script if I surf to http://IP_ADDRESS/myFrameScript.php ?
What am I missing, or am I misunderstanding something?
Vieri
Last edited by Vieri on Mon Oct 19, 2020 11:33 am; edited 1 time in total |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Sun Oct 18, 2020 10:51 pm Post subject: |
|
|
Hi
what you can do is add a "<Files></Files>" clause to your vhost config file in apache.
something like:
Code: |
<Files "myFrameScript.php">
Require host <insert a space separated list of the domains that ARE allowed to execute the file>
</Files>
|
I do not know it the wildcard will work but if not then please state the domains explicitly.
I am not sure it will work but you can give it a try. _________________
|
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 21724
|
Posted: Mon Oct 19, 2020 12:21 am Post subject: |
|
|
As I read the opening post, the request is that the script can be rendered in a frame served from allowed.example.org, but not rendered in a frame served from denied.example.org. As I read the Apache Access Control documentation, Require host is used to require that the request originate from the named host. These are different situations. OP wants to allow a browser running anywhere to request the document, but only if the browser is making the request as a result of a frame from allowed.example.org. Require host would be appropriate if you want to specify that only a browser running at client.example.org could make requests, but not browsers running on denied.example.org. |
|
Back to top |
|
|
Banana Veteran
Joined: 21 May 2004 Posts: 1407 Location: Germany
|
|
Back to top |
|
|
Vieri l33t
Joined: 18 Dec 2005 Posts: 887
|
Posted: Mon Oct 19, 2020 8:00 am Post subject: |
|
|
Very nice site, thank you.
Is it possible to block "direct" access to the frame script and allow it to render ONLY when accessed as an included iframe?
In other words, https://domain/frame.php would never show content whereas https:/domain/showframe.php would.
[EDIT] well, I guess that would fall into the "deny client connection" category to that specific script, but can it be done with just PHP (no apache)? |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Mon Oct 19, 2020 11:18 am Post subject: |
|
|
Make it check the Referer [sic] header contains one of those domains, which should be the case when it's in a frame.
On the sending side the iframe should have referrerpolicy="strict-origin" or "no-referrer-when-downgrade". |
|
Back to top |
|
|
Vieri l33t
Joined: 18 Dec 2005 Posts: 887
|
Posted: Mon Oct 19, 2020 11:33 am Post subject: |
|
|
Thanks! |
|
Back to top |
|
|
|