On Tue, Dec 3, 2013 at 4:46 PM, Ian Evans <ianevans@digitalhit.com> wrote:
> On 2013-12-03 16:32, Branden Visser wrote:
>>
>> If they're using an iframe rather than a proxy then IP tricks won't help.
>>
>> Using the X-FRAME-OPTIONS header is probably your best bet [1]
>>
>> Hope that helps,
>> Branden
>>
>> [1]
>>
>>
>> http://stackoverflow.com/questions/2896623/how-to-prevent-my-site-page-to-be-loaded-via-3rd-party-site-frame-of-iframe
>
>
> Thanks. Just did a cursory look, but does the header allow some sites to
> frame? e.g. letting stumbleupon do it but not others?
>
No I don't believe that's the case. If the browser supports it, it
*should* stop anyone from iframing, but you're under the mercy of the
browser implementation AFAIK -- so maybe Google's Chrome has some big
money deals with service providers like stumbleupon, for example (pure
speculation). There are other options listed in there such as
JavaScript tricks to verify the "self" frame is the same as the
"parent" frame. So you can also have a secondary check like that.
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx