How to allow iframe embedding only for whitelisted websites?

Content Security Policy headers are now the recommended approach.

Example from MDN:

// iframe can be embedded in pages on the origin and also on https://www.example.org
Content-Security-Policy: frame-ancestors 'self' https://www.example.org;

For more details see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

Most browsers will support the X-Frame-Options header.

This header will prevent access:

X-Frame-Options: SAMEORIGIN

And this header to allow access:

X-Frame-Options: ALLOW-FROM [uri]

Examples for the options:

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM https://example.com/

An example in PHP:

<?php header('X-Frame-Options: SAMEORIGIN'); ?>

You can read further here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

Hope it helps a bit!

How to allow iframe embedding only for whitelisted websites?

Tags:

Html

Php

Forms

Iframe

Referer

Related

Recent Posts