IFrame buster files - what's their purpose? - html
Looking at a few advertising companies (DoubleClick, Atlas), I've come across the concept of iframe buster files, that are hosted on the same host as the ad publisher (one example: http://www.adopstools.com/ibusters/atlas/atlas_rm.htm, and there's a lot of JS code that works with that page).
I read that they're used to dynamically resize the iframe. Is that all there is to iframe busters? Does hosting them on publisher's host help with JS cross-domain restrictions?
Added: I'm referring to the use case described here: http://blog.operative.com/?tag=iframe, and not just changing the iframe source document to the top level.
This is done for "take over ads". We use iframes (ADI - iframe vs ADJ - javascript) for a few reasons:
1 - they slow down the loading of your page content.
2 - they can break javascript on your page causing your page to stop functioning properly.
3 - worse case: they inject malicious code.
Using the iframe (ADI) approach the ads are isolated into their own document and can't interfere with the main web page.
However, there are cases when your marketing team wants to run take over ads. They are ads that expand outside their iframe window. For these ads the "iframe busting" approach was setup by most of the top advertising vendors. This approach requires you to host a file on your side that the ads can interact with and by pass the cross-domain restrictions of browsers.
Here is a comprehensive list of these files: http://www.adopstools.com/?section=miscellaneous&page=iframes
iframe busters are intended to break a webpage out of an iframe inside another page so that they become the top level page
e.g. if I had an iframe in this answer with your site inside it, the role of an iframe buster on your site would be to bust your site out of my iframe and prevent me from using iframes to show your website
This is similar to frame busters, where a website may be encased in a frameset with a second frame up top showing a digg bar or advertisement. In this case, a frame buster would force the browser to display the website and only the website as intended by the author, rather than in a frame with potential advertisement or malware bundled in another frame.
In the provided example, the JavaScript is used to insert a script tag to a second JavaScript file which performs the actual frame busting. The JavaScript used in the html file linked simply obfuscates this process while loading different urls for different advertisements, each with different iframe html to insert.
The lengths gone to are likely to be a factor of a cat and mouse chase, as is common with frame busting techniques, where sites have written scripts to bust out of frames, and the companies responsible for framing the sites have written anti-frame busting scripts, so anti-anti-frame busting scripts have been written.
Iframe Busters are used to help certain type of rich media creatives perform their full function. FOr example an Expandable rich media will not expand if served into an Iframe without being able to bust out of the Iframe.
This is where the Iframe Buster comes into play.
The purpose of the Iframe buster is to allow the creative to break out of the Publishers Iframes so the creative can be fully functional.
Typically it s a file which needs to be placed in a folder on the sites domain.
So www.yoursitename.com/folder/iframebuster.html
This location will need to be referenced whenever you serve an Expandable ad into the Iframe.
What the iFrame Buster does is it allows an expandable banner to come outside of it's Ad Unit dimension. For rg. if you have a 300x250 ad slots and you have an 300x250 ad banner that expands to 300x500 on mouse over or on click then iFrame buster allows it break that 300x250 boundaries and give room to the banner to expand by 300x500.
Doubleclick iFrame buster us generally required if you have a Rich Media Creative like a Pushdown, PubBar or Expandable being hosted and served/setup in DART Studio.
Atlas has their own iframe buster code, MediaMind has addineyev2.html and similarly FlashTalking and other have theirs which are required to be hosted on the server where the ads are going to run.
Related
How to handle URL changes and keep SoundManager2 playing on background?
I am developing a web application, where a mp3 player is present and user can play the music. Issue that i am facing is how to keep the music playing (and the player untouched) even when I change the URL - go to a different page? The same thing as Deezer or SoundCloud do. You can browse the web and listen to the music meanwhile. Please point me a direction how to implement it. Thank you all!
On soundcloud they don't actually change the page they just change some of the body content with javascript. You can simply do the same, by adding a hidden div for the music, and a div for the content, which calls an api (recommend jquery.ajax) to fetch the content relative to the url in the address bar. With rewriterules inside the .htaccess file, you can make it so it ignores all query strings etc. So it will always load the index.php file. In short, this is no rocket science, has nothing to do with html5 nor soundmanager2. For more info you should use the .htaccess and jquery tag.
Embed doxygen documentation in another site?
I'm trying to embed doxygen documentation into another website. At the moment I have it embedded with an iframe, but it has the side effect that if I open any of the links in the documentation on a new tab, for example, it will go to the separate linked doxygen page outside of the frame. The main site also happens to be generated with sphinx, but the breathe extension is not yet ready to automatically organize such complex documentation without manually writing many .rst files. Also, doxylink reference links such as this link to a file found on the reference page. It seems the shark machine learning library was able to pull this feat off to some degree with the classlist, but it is difficult to determine the exact technique they used. Plus, their license is GPL which is incompatible with my library's BSD license. How can I make sure the documentation is always embedded? Here is how a correctly embedded page should appear: But some links lead to a page like this:
You are essentially opening a link inside an iframe, and want to open that link in the same iframe. This can be done by: <iframe src="http://cnn.com/" name="myFrame"></iframe> <p> </p> which will load all links in the same iframe. Here is my JSFiddle: http://jsfiddle.net/yb82en46/ Sources: How to open a iframe link within the same iframe? - StackOverflow You should specify target name of the iframe. <iframe src="demo_iframe.htm" name="iframe_a"></iframe> <p>www.google.com</p>
Google analytics and iframe content - will all tracking work?
I've seen a bunch of posts on here about google analytics tracking and iframes and how there could be some issues. Also have seen this: https://developers.google.com/analytics/devguides/collection/gajs/gaTrackingSite#trackingIFrames I have tracking code in the parent website that I don't care about, and I have tracking code in the page that's embedded in the iframe that I do care about. The iframe content is a completely different domain. I was wondering if the iframe page will be able to get all the information about demographics and properly be able to send data up to Google for event tracking and whatnot. Again, I don't care about the parent at all in this case. Just that the google analytics code in the iframe works completely on its own. I feel like the article I posted above from Google is relevant for users that want to somehow link the analytics in the iframe with the analytics in the parent, but I could be mistaken?
The documentation describes exactly what you have to do. It really boils down to: Load the iframe using _getLinkerUrl to link the visit inside the iframe with the visit on the top frame Use P3P headers on the iframed page to work around stupid internet explorer. I would add some notes: Even if you don't care about the top level page you should add a tag into it, if you don't you can't use _getLinkerUrl and you lose the traffic source, etc. If you don't use _getLinkerUrl GA inside the iframe will think it's a brand new visit referral from the top level page. Setting cookies inside an iframe, in a third-party domain is the definition of a third-party cookie. Because of that any browser that is set to block third-party cookies will block the GA cookies and GA won't work. This include Safari (both Desktop and Mobile) that are set to block third-party cookies by default. So if visits using Safari or iDevices are important for you (likely these days) this tracking won't probably give you good results. The only solution is to eliminate the iframed page, either put it in your domain or open it in a new window/tab.
prevent break out of iframe
I have a iframe in my webpage (facebook like etc.). can i prevent a break out from this iframe? I did not the iframe can data be read at my session / forms etc
If you're worried about security: No need. An iframe containing an external page can not read sessions, or submit forms, in the parent page. The Same Origin Policy prevents that. Other than that: Preventing frame busting is a complicated task. See this question for some of the complexities, and a working code example for a "frame buster buster".
How to prevent downloading images and video files from my website?
How to prevent downloading images and video files from my website? Is it possible? What would be the best way to do this?
No, it's not possible. If you can see it, you can get it.
Don't post them to your site. Otherwise it is not possible.
As the browser needs to transfer the content to display it (text, images, videos), the data is already on the client's computer when the website is displayed. The previous answers give little advice on how to make it harder for non-experienced users to grab the content. Here are some directions: General Overlay the respecitive contents with a transparent <DIV> or a transparent image (as described in some answers to this question) Open the website in a frameset, so saving may miss the frame content. Open the website via window.open() to hide the menu bar. Disable right-clicks via JavaScript (not recommended due to all the side-effects on usability) Load the page's HTML code from another file (which may check for a specific referer or which may be ROT13) via JavaScript, so it's harder to access the source code. Tell the browser that all content is display:none for the printer (something like #media print { body, div, p { display: none } }) Use JavaScript to hide the content before a client makes a screenshot (see Stop User from using “Print Scrn”) Try to disable or overwrite the clipboard (see this post) Images Do not use the <img> tag for images but set the image as background for a <DIV> Wrap images into SVGs or Flash movies to make them very hard to access in a usable format. Disable caching for images (via <meta> tag or by setting the appropriate header on server delivery), so they are not stored in the browser cache (immeaditely accessible on the client's computer). Cut an image into parts, so it takes some extra work to reconstruct the whole image Add onmousedown events to images, e.g., display a copyright alert. Deliver the image via server script (e.g., PHP) and check the referer. Videos Stream videos to prevent simple downloading via URL. Wrap videos into a Flash movie. Use some nasty format that supports DRM. Texts Make text unselectable (see How to make HTML Text unselectable) Additionally to overlaying, wrap the text into JavaScript (e.g., after ROT13 or loaded dynamically from a second file), so the text is not directly available in the source code. Convert texts to images (this may decrease display quality), SVGs or Flash Again, I repeat that none of this will stop an experienced user from grabbing the content (e.g. by making a screenshot and - optionally - run OCR on it). Sometimes it's as easy as using the browser's developer tools or using the website without JavaScript. Yet, it will give inexperiences users a hard time, so they may look for some easier source to grab from. Also keep in mind that the above techniques will affect search engines when reading the page's content (if you're interested in blocking them, start with a robots.txt). Thank you for any other ideas to complement the above list!
Images must be downloaded in order to be viewed by the client. Videos are a similar case, in many scenarios. You can setup proxy scripts to serve the files out, but that doesn't really solve the issue of preventing the user from getting their own copy. For a more thorough discussion of this topic, see the question How can I prevent/make it hard to download my flash video?
If you are using PHP, the best way is to control it the .htaccess, you need to put your files, images and videos under consideration in a separate folder/directory, and create a new .htaccess file in this directory with the below: RewriteEngine On RewriteCond %{REQUEST_URI} \.(mp4|mp3|avi)$ [NC] RewriteCond %{HTTP_REFERER} !^http://sample.com/.*$ [NC] RewriteRule ^.* - [F,L] The first line %{REQUEST_URI} will prevent getting the file through the web browser or through curl. The second line %{HTTP_REFERER} will prevent accessing the image/video using HTML tags <img> or <video> from any website except the exception ! you provide instead of http://sample.com/ which usually should be your website itself. You can also have a look at my question and the accepted answer here for more tricks on the browser side.
I'd like to add a more philosophical comment. The whole intent of the internet, particularly the World Wide Web, is to share data. If you don't want people to download a picture/video/document, don't put it on the web. It's really that simple. Too many people think they can impose their own rules on an existing design. Those who want to post content on the web, and control its distribution, are looking to have their cake and eat it too.
In short, no. If someone can view an image or video in their browser then they have, by definition, downloaded it. That's how the web works - it is client server based. Whatever you can view in your browser (client) has been transfered to your computer from the remote website (server).
In standard HTML, I don't know of anyway. You didn't really say, but I'm guessing you are having problems with people deep linking into your content. If that's the case, and you are open to server side code, I believe this might work: Create a page that accepts a numeric id, maps it to a server file path, opens that file, writes the binary directly to the response stream. On the page request, generate a bunch of random ids, and map them to the actual media urls, and store that mapping object server side somewhere (in session?) with a limited life. Render your pages with your media links pointing to the new media page with the appropriate id as a query string argument. Clear the mapping object and generate all new links on every postback. This : won't stop people from downloading from within your page definitely isn't as lightweight as standard HTML and has it's own set of issues. But it's a general outline of a workable process which might help you prevent users from deep linking.
As many have said, you can't stop someone from downloading content. You just can't. But you can make it harder. You can overlay images with a transparent div, which will prevent people from right clicking on them (or, setting the background of a div to the image will have the same effect). If you're worried about cross-linking (ie, other people linking to your images, you can check the HTTP referrer and redirect requests which come from a domain which isn't yours to "something else".
you can reduce the possibility but not eliminate it...
It also doesn't hurt to watermark your images with Photoshop or even in Lightroom 3 now. Make sure the watermark is clear and in a conspicuous place on your image. That way if it's downloaded, at least you get the advertising!
This is how I do it in case anyone in the future is wondering. I put this in the .htaccess file on the root server: RewriteEngine on RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain.com/ [NC] RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain.com.*$ [NC] RewriteRule \.(mp4|avi)$ - [F] This stops them from say going to domain.com/videos/myVid.mp4 and then saving it from there.
No it's not. You may block right-clicks and simillar stuff but if someone wants to download it, he will do so, trust me ;)
As soon as they view your page that includes the picture or video, the item is downloaded into the temporary folder of their browser. So if you don't want it downloaded, don't post it.
You can mark folders or files so that they don't have read access (any of the main web servers support this). This allows you to store them on the server without any level of access to the outside world. You may want to do this if you have a service that generates images for someone else to download later, or if you use your web account for FTP access, but don't want anyone to view the files. (i.e. upload a .bak file to the server for someone else to FTP down again). However, as others have said, getting into copyright areas where people can view the image or video but not save them locally is not fully possibly, although there are tools to discourage illegal usage.
Put your image or video in flash format. Works great.
This is an old post, but for video you might want to consider using MPEG-DASH to obfuscate your files. Plus, it will provide a better streaming experience for your users without the need for a separate streaming server. More info in this post: How to disable video/audio downloading in web pages?
I believe THEOplayer already provides this sort of solution as a paid service, but I'm not so sure about it.
Granted that any image the user can see will be able to be saved on the computer and there is nothing you can do about it. Now if you want to block access to other images that the user is not supposed to see, I am actually doing it that way: Every link is to the "src" in your image tag is in fact a request send to a controller on the server, the server checks the access rights of that specific user, and returns the image if the user is supposed to have access to it, all images are stored in a directory that is not directly accessible from the browser. Benefit: The user will not have access to anything that you don't intent him/her to have access to Drawback: Those requests are slow.. especially is there are lots of images on the same page. I haven't found a good way to accelerate that in fact..
You can set the image to be background image and have a transparent foreground image.
I think the best way is: STREAM THE VIDEO IN SEPARATED ENCRYPTED PARTS. There are video hosting services such as vzaar that have this functionality. As far as I know, that will make it really hard to download directly. At least for 95% of the people. But of course, if the video plays on the screen people can just use a screen recorder and some simple software to record sound from the audio output (but he/she will have to play the ENTIRE thing to save it, totally inconvenient).
You can't stop image/video theft but you can make harder for normal users but you can't make it harder for the programmers like us (I mean thieves that know little web programming). There are some tricks you can try: 1.) Using flash as YouTube and many others sites like http://www.funnenjoy.com does. 2.) Div overlaping or background pic setting (but users with little sense can easily save all resources by opening inspect element or other developer option). 3.) You can disable right click and specific keys like CTRL + S and others possibles with JavaScript but main drawback is that if user disable JavaScript our all tricks fail down. 4.) Save image in none online directories (if you have full access to web server) and read that files with server side languages like PHP every time when image / video is required and change image id time to time or create script that can automatically change ID after every access. 5.) Use .htaccess in apache to prevent linking of your images by others sites. you can use this site to automatically generate .htacess http://www.htaccesstools.com/hotlink-protection/
Insert a transparent gif 1px x 1px just inside the <body> tag: <body><img src="route-to-images/blim.gif" class="blimover"> Then style it with this: .blimover { width: 100% !important; height: 100% !important; z-index: 1000 !important; position: absolute !important; top: 0 !important; left: 0 !important; } This will remove any click functionality from a page, but it sure stops people stealing any content! You can apply the same to a <div>, <section>, <article> etc, just name accordingly and prevent your copy and/or images being ripped. Nothing stops a screengrab though ... ...
If you want only authorised users to get the content, both the client and the server need to use encryption. For video and audio, a good solution is Azure Media Services, which has content protection and encryption. You embed the Azure media player in your browser and it streams the video from Azure. For documents and email, you can look at Azure Rights Management, which uses a special client. It doesn't currently work in ordinary web browsers, unfortunately, except for one-off, single-use codes. I'm not sure exactly how secure all this is, however. As others have pointed out, from a security point of view, once those downloaded bytes are in the "attacker's" RAM, they're as good as gone. No solution is 100% secure in this case (please correct me if I'm wrong). As with most security, the goal is to make it harder, so the 99% don't bother.
I think the best way is to prevent right clicking on your webpage, because that is the most convenient way a normal user try to download the content, and you can consider it as remark if u able to do this only as you are never gonna be able to stop a computer geek or hacker people from downloading it, because once the content is on the internet, it means it is in the public domain already...
Put the content on google drive and make it download protect. This way people can only see your documents, pictures but cannot download it.
DRM solutions are available today. It makes the video viewable but not downloadable. What is DRM? Digital Rights Management (DRM) solutions are software programs created to help people protect and control their valuable digital content, whether it's documents, videos, images, or audio files. Check out this. Hope it's helpful.