Hacker Timesnew | past | comments | ask | show | jobs | submitlogin

The embedding is more sophisticated than just an iframe or object tag. Generally they'll proxy the target site to their own origin and strip headers.


Could you not do a domain check of some kind in the JS payload and just document.write the entire thing with a bigass notice if it's not on your blessed domain?

You'd have to move the domain check in syntax and placement I guess, in an annoying game of cat and mouse... but it'd be something I suppose? Probably not worth it if it's not a large enough return.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: