Detect if a page is within a iframe - serverside
Solution 1
This is not possible, however.
<iframe src="mypage?iframe=yes"></iframe>
and then check serverside if the querystring contains iframe=yes or with the Referer header send by the browser.
Solution 2
Use the following Code inside the form:
<asp:HiddenField ID="hfIsInIframe" runat="server" />
<script type="text/javascript">
var isInIFrame = (self != top);
$('#<%= hfIsInIframe.ClientID %>').val(isInIFrame);
</script>
Then you can check easily if it's an iFrame in the code-behind:
bool bIsInIFrame = (hfIsInIframe.Value == "true");
Tested and worked for me.
Edit: Please note that you require jQuery to run my code above. To run it without jQuery just use some code like the following (untested) code to set the value of the hidden field:
document.getElementById('<%= hfIsInIframe.ClientID %>').value = isInIFrame;
Edit 2: This only works when the page was loaded once. If someone have idea's to improve this, let me know. In my case I luckily only need the value after an postback.
Solution 3
There is no way of checking this that will fit your requirement of "secure" as stated in your comment on @WTP's answer.
Solution 4
I don't think the server-side can do this, so why not put a hidden control in your page that will be in the iframe? When the URL in the iframe loads, you can add some client-side code to set the hidden input to indicate you are in an iframe. The easiest check would be on the client-side in an onload method, like this:
// Set hidden input
someHiddenInput.value = self != top
It's more secure than the querystring, but it still might not be enough security for you.
My 2 cents.
Related videos on Youtube
pistacchio
Updated on May 30, 2020Comments
-
pistacchio almost 4 years
How can I detect server-side (c#, asp.net mvc) if the loaded page is within a iframe? Thanks
-
pistacchio almost 15 yearsthanks, but this doesn't solve my problem as i want the page to be accessed only if within an iframe (for some security reasons). adding something to the querystring is just too easy to do to be secure.
-
Yuliy almost 15 yearsIf it's for security reasons, then you're doing something wrong. At best, the only thing that might clue you in to being in an iframe is a referer. And even that is forgeable. Security is done by access checks and validation, not by fragile webs of assumptions.
-
Royi Namir almost 10 yearsthis should be the answer.
-
tetri almost 10 yearsno @RoyiNamir, this is not a serverside solution ;)
-
Vortex852456 over 9 years@tetri, with this code u are able to check from serverside if you are in an iframe. I agree, that there is some client-code - but in my opinion it's the best solution because it's doesnt care how the page get called. The current accepted answer requires the request value to set in every iframe - and this may get forgotten.
-
eidylon over 9 yearsThe only problem with this answer is that it requires the page to run through once, so the value will be filled in. So, it would need something somewhere that after loading basically does:
If Not IsPostback Then Postback()
.