Detect if a page is within a iframe - serverside

c# asp.net html asp.net-mvc

15,320

Solution 1

This is not possible, however.

<iframe src="mypage?iframe=yes"></iframe>

and then check serverside if the querystring contains iframe=yes or with the Referer header send by the browser.

Solution 2

Use the following Code inside the form:

<asp:HiddenField ID="hfIsInIframe" runat="server" />
<script type="text/javascript">
    var isInIFrame = (self != top);
    $('#<%= hfIsInIframe.ClientID %>').val(isInIFrame);
</script>

Then you can check easily if it's an iFrame in the code-behind:

bool bIsInIFrame = (hfIsInIframe.Value == "true");

Tested and worked for me.

Edit: Please note that you require jQuery to run my code above. To run it without jQuery just use some code like the following (untested) code to set the value of the hidden field:

document.getElementById('<%= hfIsInIframe.ClientID %>').value = isInIFrame;

Edit 2: This only works when the page was loaded once. If someone have idea's to improve this, let me know. In my case I luckily only need the value after an postback.

Solution 3

There is no way of checking this that will fit your requirement of "secure" as stated in your comment on @WTP's answer.

Solution 4

I don't think the server-side can do this, so why not put a hidden control in your page that will be in the iframe? When the URL in the iframe loads, you can add some client-side code to set the hidden input to indicate you are in an iframe. The easiest check would be on the client-side in an onload method, like this:

// Set hidden input
someHiddenInput.value = self != top

It's more secure than the querystring, but it still might not be enough security for you.

My 2 cents.

View more solutions

15,320

pistacchio

Updated on May 30, 2020

Comments

pistacchio almost 4 years

How can I detect server-side (c#, asp.net mvc) if the loaded page is within a iframe? Thanks
pistacchio almost 15 years

thanks, but this doesn't solve my problem as i want the page to be accessed only if within an iframe (for some security reasons). adding something to the querystring is just too easy to do to be secure.
Yuliy almost 15 years

If it's for security reasons, then you're doing something wrong. At best, the only thing that might clue you in to being in an iframe is a referer. And even that is forgeable. Security is done by access checks and validation, not by fragile webs of assumptions.
Royi Namir almost 10 years

this should be the answer.
tetri almost 10 years

no @RoyiNamir, this is not a serverside solution ;)
Vortex852456 over 9 years

@tetri, with this code u are able to check from serverside if you are in an iframe. I agree, that there is some client-code - but in my opinion it's the best solution because it's doesnt care how the page get called. The current accepted answer requires the request value to set in every iframe - and this may get forgotten.
eidylon over 9 years

The only problem with this answer is that it requires the page to run through once, so the value will be filled in. So, it would need something somewhere that after loading basically does: If Not IsPostback Then Postback().