How to know from where the iframe was loaded?

Is the iframe code
<!DOCTYPE html>
<html lang="en">
the <head>
the <script>if(;</script>
 <meta charset="UTF-8">
the <body>

It is assumed that he wakes embedded in an iframe on the page.
But it is necessary to limit the possibility of integration.
Deny all resources to embed the iframe
And and allow you to embed the iframe
if(!'') // not working
April 7th 20 at 15:23
3 answers
April 7th 20 at 15:25
Uploaded iframe does not learn (you can learn something, but in your case it won't help).

1. JavaScript doesn't work, maybe the policy is Same-origin (Same Origin Policy) prevents access from iframe to they have a different origin (roughly speaking - different domains).
Check != window.self browser gives and access to the actual url from the - no.

2. on the server check variable $_SERVER['HTTP_REFERER'] (who asked for the download page) sense either - if the iframe attribute is set referrerpolicy:
<iframe referrerpolicy='no-referrer'>
the referrer will not be sent (it will, but only in IE/Edge and Safari_IOS).

But to do what you want - it's easy. On the page it is necessary to publish an HTTP header Directive CSP with frame-ancestors:
header( "Content-Security-Policy: frame-ancestors https://ваш_сайт.ru http://ваш_сайт.ru;" );

this will allow to open this page in iframe with its own domain Wassily(no subdomains!) at the http:/https:.
And sites and with www or without (but only if Facebook/Google loaded via https: - and they cannot be downloaded via http:).

PS: if your site is available on the www - add "magic" line:
https://www.ваш_сайт.ru http://www.ваш_сайт.ru
April 7th 20 at 15:27
April 7th 20 at 15:29
This is done either in the client js, and in checking the REFERRER header on the server side.
Or mod_rewrite rules in apache.

Find more questions by tags HTMLJavaScript