Is there any tricks to hide the src url in iframe? Or maybe encrypt a part of the external url?

CodePudding user response：

TLDR: No, You cant.

You can prevent it appearing at browser page source using JavaScript. But people still can see it with Inspect Element option.

And if you encrypt the URL, it won't work. HTML src must have a specific URL/File path. It can't understand encrypted text.

Still, If you want to hide it from page source, Try this:

HTML:

<!DOCTYPE html>
<html>
    <head>  
        <title>Document</title>
    </head>
    <body> 
        <iframe id="extframe" src=""></iframe> 

        <script src="script.js"></script>
    </body>
</html>

JavaScript at script.js file:

var iframeUrl = document.querySelector('#extframe'); 
iframeUrl .setAttribute('src', 'https://stackoverflow.com/'); 

CodePudding user response：

You can't. If the URL isn't in the HTML, how would the browser know where to get it?

One thing you could try is to obscure it to make it slightly harder for someone to find it. You could have the src attribute be blank and then when the document is ready fetch the URL value from the server in a separate AJAX request and update the iframe tag to include that value in the src.

This would be a fair amount of work, however, and wouldn't really accomplish anything. The only thing it would prevent is somebody finding it by viewing the page source. They can still look at the "current version" of the HTML in any web browser's debugging tools. (Right click on an element and inspect it, which is nearly ubiquitous at this point.) Or any other normal traffic-sniffing tools will see it plain as day.

Ultimately, if the web browser needs to know a piece of information, then that information needs to be visible on the client-side.