Using The IFRAME Tag For URL Masking.
This method can leave visual cues that the page being displayed is not the page at the URL in the browser’s address bar.
The clues can be (other than clues the web page being displayed itself may contain), depending on the dimensions of the IFRAME compared to the dimensions of the displayed web page:
- Scrollbars appear on the IFRAME. When the displayed web page is larger than the dimensions of the IFRAME tag, and the IFRAME is allowed to display scroll bars, scroll bars will appear for the site user.
- Part of the displayed web page is cut off. When the displayed web page is larger than the dimensions of the IFRAME tag, and the IFRAME is prevented from displaying scroll bars, the excess of the displayed web page is cropped.
- The browser window scroll bars allow the user to scroll down past the end of the displayed page. When the dimensions of the IFRAME tag exceed that of the displayed web page, and the dimensions are larger than the browser window itself, scrollbars for the browser window will let the user scroll past the end of the displayed web page.
To use an IFRAME for URL masking, create a web page with an IFRAME that loads the target web page.
Make a web page with the following code. Change the URL in the fourth line of the code to the URL of the web page to be displayed in the browser.
<html>
<body>
<iframe src=”http://example.com/page.html” frameborder=”0″ width=”800″ height=”2500″ scrolling=”no”>
</frameset>
</body>
</html>
Upload the IFRAME web page to your server. Load the IFRAME web page into your browser.
You’ll notice that the URL of the IFRAME web page is in your browser’s address bar even while a different web page, the one you specified in the fourth line of the above code, is displayed in the IFRAME tag.
See the W3 Schools’ “HTML IFRAME TAG” page for information about how to change the IFRAME dimensions, how to allow or prevent scroll bars, and how to change other attributes.
Preventing URL Masking With Frames
This JavaScript somewhere in the web page to be protected will break the web page out of frames and put its own URL into the browser’s address bar.
<script type=”text/javascript”>
if(self != top) { top.location = self.location; }
</script>
URL Masking With Apache rewrite
Rewriting URLs in a certain way with the .htaccess file can display web pages from a URL different than the URL in the browser’s address bar. However, both the URL in the address bar and the web page being viewed must be located on the same domain as the .htaccess file.
There are no visual clues that the web page being displayed is not at the URL in the browser’s address bar unless the web page being displayed itself contains clues.
There are many nuances to consider when writing URL redirect lines for the .htaccess file. Consider testing with an .htaccess file in an otherwise unused subdirectory before going live.
Here is a simple directive that will rewrite all URLs for any documents in the /free directory so the /paid/index.html will display, instead. The URL in the browser’s address bar will be the original URL to a document in the /free directory. Yet, web page /paid/index.html is being viewed.
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/free($|/)
RewriteRule ^.*$ /paid/index.html [L]
If the web page being viewed is at a domain different than where the .htaccess file is located, the URL in the browser’s address bar will change.
Probably the most authoritative reference for URL rewriting is the “URL Rewriting Guide” at the apache.org site. Other web sites also have tutorials and guides, some of which may be easier to learn from than apache.org’s guide. To get a list, do a search for:
“URL rewrite” +tutorial
Leave a Reply