Securing an iframe

bsfthp

Hello everyone! Been looking around for a solution to this but can't find. We are a Web Design Firm and manage data held centrally on our servers for clients. Clients access this data via an iframe on one of their Web Pages. An example can be found at

iframe code is:

<iframe id="taxrates" name="taxrates" width="710px" height="580px" align="left" frameborder="no" scrolling="yes" src="http://www.theholtpartnership.co.uk/tax_rates_2006/index.html">&nbsp;</iframe>

As you have probably guessed by now, the problem is trying to make the source data secure and stop anyone from creating their own iframe and linking to our data.

I have tried deactivating the URL in the Status Bar but I have not found any code that also hides the URL when any links on the page are clicked and held down with the mouse.

Also tried making the source Directory password protected by including the username and password vaiables in the URL, and although it works fine in Firefox, it fails in IE7

http://taxrates2006:01707695651@www.theholtpartnership.co.uk/tax_rates_2006/index.html

Has anyone any suggestions on how best to secure the data shown in the iframe?

Once i have the code, I will be using encryption software to hide the code and attach it to specific Domain names.

Any help or suggestions on this issue will be much appreciated. Thank you in advance.

bradgrafelman

Basically, if you don't require authentication and your data is readily accessible (putting a username/password in the HTML is not requiring authentication, it's requiring a thief to right click and press view source), then you really can't expect to "secure" anything from prying eyes.

No matter what you do, if the method to view the data is included in the HTML, it's going to be accessible by someone who wants to steal the address/display the data.

bsfthp wrote:
Once i have the code, I will be using encryption software to hide the code and attach it to specific Domain names.

I'd love to know what you mean, as there is no such thing as "encrypting" HTML code, really. 'Obfuscating', perhaps, yes, though 'security by obscurity' is again not a fool-proof method (nor reliable if the thief is even slightly more than your average web user).

The best way may be to do referrer checks, though you should not that the HTTP_REFERER header is not required in the HTTP specifications; in fact, many browsers allow you to spoof this header (again, you'd simply have to hope that a thief doesn't figure this out) while others (and some proxies) will remove it altogether (preventing the users with these browsers/proxies from seeing your data).