Frames to disguise URL - the simplest explanation possible please!

Stoid · June 7, 2010, 9:42pm

Hi… I’m not slick with coding HTML by any stretch, but I can fumble along - I am using Dreamweaver and Textmate and getting the job done.

Here’s what I need to accomplish:

A page sits on my secure server, https://www.stoidpage.com/formthing.htm is what is visible in the browser address window.

Inside a frame that is not visible to the eye, that takes up the whole page if necessary, that’s fine, is a form.

That form communicates back and forth with a completely different (also secure) site, https://www.nobodysbusinessbutmine.net/stuff/stuff/morestuffandstuff/

I don’t want the second URL to ever be visible in the browser address window at all. I want the browser address window to always be https://www.stoidpage.com/formthing.htm - actually, the formthing.htm part isnt’ necessary… just the toplevel URL. In an ideal world, actually, if https://www.nobodysbusinessbutmine.net/stuff/stuff/morestuffandstuff/ returns some kind of result that requires action, such as someone making a mistake on the form and needing to fix it, it would be great if I could make a page change in the URL to respond to that, but ti’s not necessary. That’s later, the core non-change is what I’m looking for.

I would also, if possible, prefer to disguise the communication between the second non-stoid server and the stoid server in the source code, but that’s not as important. I just want Joe Surfer to never see the second URL.

I do not want to get into anything complicated, I assume this can be done in the same way that Google, when you go to look at an image, will have the site where the image resides in a frame, while the URL remains something Googly.

In case this type of thing can be used for nefariousness… I’m not using it for nefariousness. Its actually to protect me.

Thanks for your help.

BigT · June 7, 2010, 10:38pm

That should be the normal behavior of a 100% frame, if I am understanding you correctly. Heck, you can even use an iframe (although it’s now supposed to use the object tag.)

I do want to point out that it will not make it impossible to figure it out, if someone wants to. For example, if I see the page change without the top URL changing, I’ll suspect a frame, and if I want to link straight to the page I’m actually seeing, I can right-click in Firefox and choose “View this frame only” or something like that.

Oh, and any links that you do not want to stay within the top frame need to clear the frame. Add target="_top" to any links that need to go outside the frame. If you have a lot of these, you can but that attribute in the <base> tag in the header, and use [font=“Courier”]target="_self" for the exceptions.

Example:


<html><head><title>Title</title></head><body>
<a href="http://google.com" target="_top">Google in address bar</a>
<a href="http://google.com">Google not in address bar</a>
</body></html>


<html><head>
    <title>Title</title>
    <base target="_top">
</head><body>
    <a href="http://google.com">Google in address bar</a>
    <a href="http://google.com" target="_self">Google without address bar</a>
</body></html>

Reply · June 7, 2010, 10:47pm

The frame code would be something like:



<html>
<title>My Not-So-Secret Google Redirect</title>
<frameset rows="0,*" framespacing="0" border="0" frameborder="0">
<frame scrolling="no" noresize>
<frame scrolling="auto" noresize src="http://www.google.com/">
</frameset>
</html>

njtt · June 8, 2010, 12:09am

Might I ask what legitimate, non-criminal reason someone might have for wanting to do this?

Stoid · June 8, 2010, 12:56am

You can ask, but if I wanted to post it on a message board in public, I would have.

It’s not big deal, honestly.

And thanks to all for the help!

ZipperJJ · June 8, 2010, 1:04am

There’s lots of valid reasons for doing this. If you’re using a service you don’t want your customers to know about, because you want them to use the service through you (you get commission) and not the service’s site (you don’t get commission) then obscuring the URL of the page serving the form will make it less evident to the customer that they can just go to this other URL and get the same service.

Even if the form is on your site and it posts to some other URL, which then redirects back to your site…if the posting goes slow or if there’s an error, the service’s URL will be in the browser’s address bar unless you use framing.

It’s not like you can’t figure out the URL of the form or the post without 2 seconds of work, but not everyone will think to do that. No reason to put it up in their faces in the address bar if you don’t want people to know.

not_alice · June 8, 2010, 2:29am

Security by obscurity is not security at all.

What you probably want to do is have this all happen server-side rather than client side. That means no frames, but you do a pass-through proxy on https://www.nobodysbusinessbutmine.net by mapping it to the main stoid site.

How you do that varies by web server, and there are several ways to do it with Apache, the most common web server.

Beyond that you are on your own, for the4 same reason the lawyers wouldn’t give you a committed answer - if you want to do a professional’s work, then get the same training or experience as a professional. Especially if you won’t even say why you want professional advice for free, which seems to be a pattern here…

That being said, I guarantee you that whatever your configuration and method you choose to do it, you can google very specific and effective solutions. As a professional I might do that too, but the difference is I know the right search to do AND I can sort the crap from the effective at a glance because I have done exactly what I suggest many many times in the last 13 years or so. The only reason I would search at all is because I am too lazy to pull some O’Reilley books off the shelf, I am not near my shelf, or your software configuration is less common.

Duckster · June 8, 2010, 2:37am

You can avoid the subterfuge (and negative customer service) if the web page actually sits on your server but calls the form script residing on a different server. Whatever course of action you choose, anyone watching the status bar during the form transaction will see your hidden server.

LSLGuy · June 8, 2010, 3:18am

If both sites are https, most browsers will not permit the so-called cross domain access without warning the user that stuff is going out to a domain other than the one in the url they’re seeing.

Were the two sites not https, this would not be an issue.

Stoid · June 8, 2010, 3:39am

There’s a way to do it “officially” but I don’t have the chops to deal with the API.

Down the road…

not_alice · June 8, 2010, 3:39am

Duckster is not quite right. You could write a script on your server that proxies the other server and prevents the client seeing it.

Of course, all this raises the question of if any of these approaches falls within the terms of service of the remote service. Framing or otherwise proxying is not likely to be within the terms of service of anyone that cares about their brand.

Not only that, but there are (I believe) browser plugins that wiull flag such sites - aside from evidence of intellectual property abuse, such framing as Stoid proposes is evidence - not sufficient, but a sign of a “spammy” site .

not_alice · June 8, 2010, 3:42am

Huh? You don’t have the chops to do it unofficially either. But I bet documentation exists with examples on how to do it right if there is an API.

And I bet if there is an API, there is a very active and specific support forum where you can ask specific questions instead of vague questions here.

And I also bet if there is an API, doing it your way is against the TOS.

Stoid · June 8, 2010, 7:04am

Yes, documentation exists, of course. Like I said, beyond me.

Questions yes, teaching me the underlying skills to implement, no.

Against TOS, wrong.

Stoid · June 8, 2010, 7:09am

It’s not even a whole site, just a single page.

It has ZERO to do with Joe Surfer, his browser, his email, his privacy , or him. It’s not about the public, search engines, spam, or anything else anyone is going to be able to guess or worry about. Nothing that is actually occurring is in any way hidden, only the domain where the page lives, not anything that it does. It’s for a very focused, specific and legal purpose, it’s boring.

And I’ve got it wired, thanks much for your help.

not_alice · June 8, 2010, 7:15am

Cite?

BTW, it is far from clear that framing content from another server is not a copyright violation, and it is likely not fair use. Your stated purpose here is to mask the true origin of the copyrighted material.

How do you know that querying the existing support forum for the actual product will not result in you being able to implement what you seek? Sounds like what you want to do is pretty basic - to load a form on your own web site using the API that is a duplicate, or essentially the same as one on the service’s own site.

Why not ask on their forum - someone there probably has exactly what you need in PHP, perl, ruby, etc. Then it would be a matter of ftp’ing or otherwise copying what they provide to your server jsut as you do now with html files.

You are really making it more complicated than it needs to be, as seems to be your habit. You asked for the simplest solution, and in the end, that IS the simplest solution: to pose your question on the support board of the product in question, instead of asking vague questions here where we know nothing of the product or your configuration.

Reply · June 8, 2010, 7:22am

Whoa… how did a simple question about URL cloaking devolve into these attacks? Why does Stoid need to provide justification for this? There are legitimate uses for URL cloaking. There are also easier ways to rip off copyrighted material, if that was ever the goal.

not_alice · June 8, 2010, 7:27am

I understand that. A spammy page on a otherwise OK site makes for a spammy site. Once there is one, who knows if there are others or will be others later or have been in the past?

The spammy aspect of what you say is the framing. In general, this is a bad practice, and always has been. There are copyright issues involved, as noted above. You are seeking for the end user to think that the work of others as found on your site is in fact your work by masking the URL somehow.

Doesn’t matter. You are apparently seeking to pass off someone else’s intellectual property as your own, even though they are willing to provide and license you an API to accomplish what you want to accomplish according to terms they can live with.

Understood. The content comes off of their server, but the visitor to your server, you want him or her to think it comes from your server. Can you steal on the internet any more blatantly than that?

Really? Doesn’t sound boring to me. I own or run many web sites and if you did this to any of my forms, I would be all over your ass, no matter how mundane or small the site happened to be.

It is possible for their site to prevent your masking in the ways discussed by the way, and if they have gone through the bother of making an api such a thing might kick in at any time. Why risk it?

Also, I bet there are plugins for firefox and others that check to see if a page is framed as you have described, precisely because it is a security risk as discussed - you are sending informatin on the form through a third party vendor without identifying them or their policies, and that is unfair to your user. It smacks precisely of phishing, even if that is not your intent, this is one way it is done. Security services, including search engines, are searching and blocking sites that they see as spammy these days… do you really want to risk that?

And I’ve got it wired, thanks much for your help.
[/QUOTE]

not_alice · June 8, 2010, 7:37am

Of course there are simpler ways to access the material - she said there is an API, but can’t be bothered to do it the licensed way.

She is vague about the purpose for this, and it smells to me like some sort of phishing scheme. She says it is to protect her, but how does hiding the 3rd part site protect her? That is what I don’t get unless she is somehow collecting info from someone that, from that someone’s point of view is going to be handled by stoid but instead is going to be sent elsewhere?

What legit purpose is there for hiding the true location of a form and its action from a visitor?

Contrived examples:

I come on the site looking to sign up for the Stoid family newsletter but instead am signing up for Porn of the Day mail.

Or maybe she is going to frame my Amazon book links but use her user ID so my server bears the load but she gets paid for it.

not_alice · June 8, 2010, 7:44am

Oh yeah, that both of these pages are https sets off my suspicion too…that is supposed to increase the reader’s level of trust, and it seems like she is in effect setting up a man in the middle attack possibly.

At the very least, it tells me there is likely some personal/private information being exchanged in the form whose true origins she wishes to hide…

Tim_T-Bonham.net · June 8, 2010, 10:08am

So name one legitimate use.

I can’t think of any that aren’t shady & ethically dubious.