Jump to content

How to embed an iframe in another Iframe???


Recommended Posts

Is is possible to embed an Iframe inside another Iframe so the 2nd Iframe thinks the referer is the first Iframe?

 

EG.

<iframe src='http://www.google.com'>
<iframe src='http://www.phpfreaks.com'></iframe>
</iframe>

 

if not how else could i go about doing this?

Is is possible to embed an Iframe inside another Iframe so the 2nd Iframe thinks the referer is the first Iframe?

 

iframes will show the immediate parent page as the referring URL.  So to answer your question exactly, if you have iframe content within iframe content, yes, that inner iframe will show the iframe as the referring URL. 

 

However, I suspect what you may really mean is, "Is there a way to make the 2nd iframe think the referrer is the top/parent page?" And the short answer is no.  The more complicated answer is no, there's no way to make it think the referring url is the parent page, but you may possibly be able to find out that parent url, if the iframed page you want to act on, is on the same domain as the parent domain.  Basically you will run into XSS issues if on different domains.  But if the pages are on the same page, you can work your way up the DOM ladder to the parent page and get the url (or in case the "middle-man" iframe is diff domain, you can do top.location.href on the inner iframe). 

 

But if the inner iframe page is on different domain than the top page, only way to find that out, is to explicitly pass the top URL as a query string param to each iframe src attrib and grab it from there.

 

In any case, this:

 

<iframe src='http://www.google.com'>
<iframe src='http://www.phpfreaks.com'></iframe>
</iframe>

 

...is not possible, that's not how iframes work.  The stuff you put between an iframe tag only gets rendered if iframes are disabled or are otherwise not renderable in the browser.  Basically it's the equivalent of a noscript tag, used to show alternate content in the event that the iframe will not render.  Example:

 

<iframe src='http://www.google.com'>
sorry, your browser doesn't support iframes!
</iframe>

 

This will attempt to load the contents of google.com on your page (within the iframe boundary...normally you specify height and width attribs in the tag...).  But if for some reason your browser hates iframes, it will instead show that "sorry, your browser doesn't support iframes!" message.

 

Here is an example of how a real iframe-within-an-iframe works.  Make 3 pages:

 

test.php

hello from page 1!
<br/>
<iframe height='50%' width='50%' src='test2.php'></iframe>

 

test2.php

hello from page 2!
<br/>
referring url:
<script type='text/javascript'>
  document.write(document.referrer);
</script>
<br/>
top url: 
<script type='text/javascript'>
  document.write(top.location.href);
</script>
<br/>
<iframe height='50%' width='50%' src='test3.php'></iframe>

 

test3.php

hello from page 3!
<br/>
referring url: 
<script type='text/javascript'>
  document.write(document.referrer);
</script>
<br/>
top url: 
<script type='text/javascript'>
  document.write(top.location.href);
</script>

 

This will output something like this:

 

webpageception.png

 

In this example, all pages are on the same crayonviolent.com domain, so you can see the both referring and top url values.  But lets say the pages were located at:

 

site1.com/test.php

site2.com/test2.php

site3.com/test3.php

 

You will still see document.referrer showing the url the script was included on, but the top url will no longer work.  It will either display nothing or undefined depending on the browser, and you will see an access denied error thrown (XSS).

 

But you can do for example:

 

site1.com/test.php

site2.com/test2.php

site1.com/test3.php

 

Since test3 and test are both on the same domain, you will be able to get the top url. 

 

 

Thank you for your great reply lots of good information which im sure i can make good use of, it seems that the only way to hide the referring URL is if you have control of the files on the domain, this method wouldn't obviously work on domains which i don't own eg. PHPfreaks

 

i was thinking maybe it could be possible to reload another URL on the same Iframe, would that work to give a different referrer URL

Im not personally trying to trick any websites, i have a client who is wanting to change the referrer and has asked if i can get it done, sorry to be blunt and i don't wish to be rude but im needing help and none of your posts thus far have actually been of any help, if your not able to actually contribute to my problem then i think it would be best you didn't post.

Okay well in my head, "hide the referrer"  and make it "thinks the referer is the first Iframe" (from OP) are two different things.  If you want to "hide" or obfuscate the referring URL from the target page, the bottom line is there is no elegant, 100% way to do this (see ignace's post for a link to what you can do).

Okay well in my head, "hide the referrer"  and make it "thinks the referer is the first Iframe" (from OP) are two different things.  If you want to "hide" or obfuscate the referring URL from the target page, the bottom line is there is no elegant, 100% way to do this (see ignace's post for a link to what you can do).

 

yes sorry, what im trying to do is make the referrer look like its coming from somewhere else eg google.com, i have read that article and i will read through it again, im thinking that this maybe isnt possible.

Okay well in my head, "hide the referrer"  and make it "thinks the referer is the first Iframe" (from OP) are two different things.  If you want to "hide" or obfuscate the referring URL from the target page, the bottom line is there is no elegant, 100% way to do this (see ignace's post for a link to what you can do).

 

yes sorry, what im trying to do is make the referrer look like its coming from somewhere else eg google.com, i have read that article and i will read through it again, im thinking that this maybe isnt possible.

 

It's not. You're trying to change client-side behaviour with server side scripting.

 

Even client-side code can't or shouldn't be able to do this. Messing with those kinds of headers could be a security risk.

seany: The only way to spoof the referrer header, is to control the client which is sending the request. So your client can do this on his own computers, but not on those who are visiting the site. As Xyph stated: The server cannot do anything with the client, as it would have been a major security risk.

That said: What he's trying to do sounds really dubious, and possibly part of something that can be illegal. I don't see any legit reason for why he wants the headers spoofed.

 

As for the possible security risk, Xyph, I do hope that you agree with me in that anyone relying upon the referrer header for security is doing something wrong? My web clients don't even send this header normally, as it's purely an informative header and easily spoofed.

2 legit use cases, both SEO related: 

 

1) When you link to another site, you are giving that site "power" in search engine rankings.  Search engine bots crawl your site and see links to xyz.com and it increase's xyz.com's rankings.  To an extent, it also hurts your ranking, because it puts you more into "middleman" territory, which is BAD, especially since link exchange/farms sites utterly ruined that territory for everybody else. In short, you are flagging yourself as a site that is NOT the ultimate goal of a surfer, when performing a query, which is a huge part of moving up natural search rankings.

 

2) You don't want other sites looking at who is referring to them...and then selling spamming the fuck out of you, or selling your info to other sites who will happily spam the fuck out of you.  Also, they will see that traffic comes from you and adjust their own SEO efforts accordingly.  Bid on some keywords more directly related to you, even if they don't necessarily relate to them.  This can hurt you because a) you could be bidding on those same keywords, b) it may moreso pit you against them in natural search rankings.  In short, websites will happily step on other websites to gain higher ground, and this sort of thing is you bending over and holding out your hands to hoist them up.

 

Is it "bad practice" to do this? Not necessarily.  Afterall, that is kind of why the "no follow" thing was added.  The problem is, it doesn't really stop #2 from happening.

That's one of the reasons I leave SEO to other people. It's disgustingly predatory, and something I don't want to bother competing against.

 

User-generated content aside, it's very easy to prevent links going to the kind of sites that will dick you around. Even with user-generated content, it's quite easy to build a list of external URLs in the content and keep an eye out for bogus links (almost always from bogus users). nofollow helps with this as well.

 

Stack Exchange links to external articles in nearly every post, yet the are constantly at the top of search results. I don't think screwing with the way your user's browser behaves is a solution to someone poisoning your content.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.