Hi,
I want to disable some functions in my VAADIN program if the program is displayed in an iframe. The complete function range should be available only if the program is started from my domain.
How can I identify, if the program is embedded in an iframe?
Many Thanks
Heiko
Well, at least the initial request should get the Referrer header, which points to the top-level page. You should be able to read it from the request in a custom Vaadin servlet. I think there’s also the Origin header if the iframe is in a page in another domain.
Another way would be to make a JavaScript call, test if “parent != window”, and send that back with a
JavaScript callback function
. However, you can’t make that call before you initialize your UI.
Perhaps you could also customize the page vaadinBootstrap.js to send the information before the UI instance is created… But that would probably get a bit complex.
In any case, information sent from a JavaScript call should not be fully trusted, and neither should be the Referrer, although the security concerns are different.
Hi Marko,
I tried this:
Well, at least the initial request should get the Referrer header, which points to the top-level page. You should be able to read it from the request in a custom Vaadin servlet. I think there’s also the Origin header if the iframe is in a page in another domain.
but from the same domain. I will follow this.
In any case, information sent from a JavaScript call should not be fully trusted, and neither should be the Referrer, although the security concerns are different.
I know. Many people ask me, if they are allowed to embed my site in their site. It would be better than a simple link. I will add a check to the listener, if the program is embedded and redirect to my site in the case, that someone want to use my program.
Many Thanks
Heiko