can iframe sources be hijacked?

[moose-en-a-gant]

Sort of being lazy, I wanted to just embed the main inteface of my website in  a small window, rather than rescaling it.

So if I did <iframe src="mysite.com" width="auto" height='auto"> am I vulnerable for an attack eg. someone replacing the src with a different location. ?

[QuickOldCar]

Usually iframes are safe if is your own content and the content being iframed has no security flaws in it.

If you want to prevent clickjacking you can use X-Frame-Options response header

 

When you iframe you lose a lot of control what you can do with it.

You are just adding a "window" of it. You can resize the frame but not the content within.

 

I would break the script up and include() it both places.

Another method would be to use file_get_contents()

Output buffering can be used to capture and store the data in the internal buffer and output it any way you want.

ob_start()

ob_get_clean()

ob_end_clean()

[NetKongen]

No that should be fine to do. An if the hacker is able to do what you describe we would probably just hack you mysite.com instead ;-)

[moose-en-a-gant]

Well take adblock for example, I'm not sure how they work, I would like to think that they read the source and find code that matches advertisments like the format for google adsense and somehow re-write them like for example using jQuery setting display: to none; but I don't know if that is possible.

[jeffreyappel]

i suggest make the iFrame invisible to make harder for clickjacker.