Uploaded iframe does not learn (you can learn something, but in your case it won't help).
doesn't work, maybe the policy is Same-origin (Same Origin Policy
) prevents access from iframe to window.top.location.href
if they have a different
origin (roughly speaking - different domains).
Check window.top != window.self
browser gives and access to the actual url from the window.top - no.
2. on the server
(who asked for the download page) sense either - if the iframe attribute is set referrerpolicy
the referrer will not be sent (it will, but only in IE/Edge and Safari_IOS).
But to do what you want - it's easy. On the page it is necessary to publish an HTTP header Directive CSP with frame-ancestors
header( "Content-Security-Policy: frame-ancestors https://ваш_сайт.ru http://ваш_сайт.ru https://www.facebook.com https://facebook.com https://www.google.com https://google.com;" );
this will allow to open this page in iframe with its own domain Wassily
(no subdomains!) at the http:
And sites facebook.com
or without (but only if Facebook/Google loaded via https:
- and they cannot be downloaded via http:
PS: if your site is available on the www - add "magic" line: