Subscribe to
the Possibilities Ezine

Subscription Terms of Service
Privacy Policy

Most Recent
Software Additions

Go Short URL

Create short URLs with your own control panel, on your own server, and all your short URLs will have your own domain name.

Secure View and Remove

Remove the data from your secure server safely, without compromising your customer's trust.

Survey Lite

Provides an opportunity for your visitors to give you feedback on the subjects you want to hear about.

Attention Ticker

Scrolling text banner is perfect for special offers... news feeds... syndication to other sites ...

URL Masking - Attainment and Prevention

This article does two things: It tells you how to do URL masking. And, it tells you how to protect yourself if someone is masking your web pages without authorization.

URL masking is covering up a URL with a different one. It presents one URL when the actual URL is something different.

Causing the browser's address bar to show a URL different than the actual URL of the web page being viewed is one definition of URL masking. Another definition is to cause a link URL to show in the browser's status bar different than the URL of the web page being linked to.

If you're looking for functionality like the second definition, see the Go Short URL web page.

This article addresses the first definition of URL masking. One URL is in the browser's address bar. The web page being displayed in the browser window is at a different URL.

I will describe several ways to mask URLs. I will also show how to frustrate those who would mask your web page URLs without your consent.

When you know how to accomplish it and how to prevent it, you are that much more in control of your web site.

Here are the three methods of masking URLs addressed by this article:

1. With frames.

2. With Apache rewrite.

3. With page retrieval software.

There are defenses from the first and third method that site owners can employ to prevent that kind of maneuvering. The second method needs no defense because only someone with access to the domain can use it.

URL Masking With Frames

Two different types of frames can be used to present a web page in the browser with a URL different than the URL in the address bar.

1. The FRAMESET tag.

2. The IFRAME tag.

In both methods, when the web page with the frame is loaded into the browser, the frame web page's URL is in the browser's address bar even while the browser window displays a web page located at a different URL.

The frames web page originally loaded into the browser and the web page retrieved from elsewhere may be on different domains.

Using The FRAMESET Tag For URL Masking.

This method hides all visual cues that the web page being displayed is not at the URL in the browser's address bar (unless the web page being displayed itself contains images or wordage that provide clues).

What you do is create a FRAMESET web page that loads the target web page.

Make a web page with the following code. Change the URL in the third line of the code to the URL of the web page to be displayed in the browser.

<frameset rows="100%"> <frameset cols="100%"> <frame src="http://example.com/page.html" frameborder="0" scrolling="no"> </frameset> </frameset>

Put only the above into the FRAMESET web page. Use no HTML or BODY or other normal web page tags.

Upload the FRAMESET web page to your server. Load the FRAMESET web page into your browser.

You'll notice that the URL of the FRAMESET web page is in your browser's address bar even while a different web page, the one you specified in the third line of the above code, is displayed in the browser window.

That's the simplicity of URL masking with a FRAMESET tag.

Using The IFRAME Tag For URL Masking.

This method can leave visual cues that the page being displayed is not the page at the URL in the browser's address bar.

The clues can be (other than clues the web page being displayed itself may contain), depending on the dimensions of the IFRAME compared to the dimensions of the displayed web page:

1. Scrollbars appear on the IFRAME. When the displayed web page is larger than the dimensions of the IFRAME tag, and the IFRAME is allowed to display scroll bars, scroll bars will appear for the site user.

2. Part of the displayed web page is cut off. When the displayed web page is larger than the dimensions of the IFRAME tag, and the IFRAME is prevented from displaying scroll bars, the excess of the displayed web page is cropped.

3. The browser window scroll bars allow the user to scroll down past the end of the displayed page. When the dimensions of the IFRAME tag exceed that of the displayed web page, and the dimensions are larger than the browser window itself, scrollbars for the browser window will let the user scroll past the end of the displayed web page.

To use an IFRAME for URL masking, create a web page with an IFRAME that loads the target web page.

Make a web page with the following code. Change the URL in the fourth line of the code to the URL of the web page to be displayed in the browser.

<html> <body> <iframe src="http://example.com/page.html" frameborder="0" width="800" height="2500" scrolling="no"> </frameset> </body> </html>

Upload the IFRAME web page to your server. Load the IFRAME web page into your browser.

You'll notice that the URL of the IFRAME web page is in your browser's address bar even while a different web page, the one you specified in the fourth line of the above code, is displayed in the IFRAME tag.

See the W3 Schools' "HTML IFRAME TAG" page for information about how to change the IFRAME dimensions, how to allow or prevent scroll bars, and how to change other attributes.

Preventing URL Masking With Frames

This JavaScript somewhere in the web page to be protected will break the web page out of frames and put its own URL into the browser's address bar.

<script type="text/javascript"> if(self != top) { top.location = self.location; } </script>

URL Masking With Apache rewrite

Rewriting URLs in a certain way with the .htaccess file can display web pages from a URL different than the URL in the browser's address bar. However, both the URL in the address bar and the web page being viewed must be located on the same domain as the .htaccess file.

There are no visual clues that the web page being displayed is not at the URL in the browser's address bar unless the web page being displayed itself contains clues.

There are many nuances to consider when writing URL redirect lines for the .htaccess file. Consider testing with an .htaccess file in an otherwise unused subdirectory before going live.

Here is a simple directive that will rewrite all URLs for any documents in the /free directory so the /paid/index.html will display, instead. The URL in the browser's address bar will be the original URL to a document in the /free directory. Yet, web page /paid/index.html is being viewed.

RewriteEngine On RewriteCond %{REQUEST_URI} ^/free($|/) RewriteRule ^.*$ /paid/index.html [L]

If the web page being viewed is at a domain different than where the .htaccess file is located, the URL in the browser's address bar will change.

Probably the most authoritative reference for URL rewriting is the "URL Rewriting Guide" at the apache.org site. Other web sites also have tutorials and guides, some of which may be easier to learn from than apache.org's guide. To get a list, do a search for:
"URL rewrite" +tutorial

URL Masking With Page Retrieval Software

This is software that retrieves a web page and then displays it in the browser.

PHP or SSI (in conjunction with a CGI program) can be used. Other programming languages can be used, also, like ASP.

With PHP, the program code is generally right in the web page source code. With SSI, the SSI tag calls an external program to fetch the web page.

The code on the PHP/SSI web page retrieves the remote web page, inserts a base URL tag into the retrieved web page source code, then displays the contents of the retrieved web page. The URL in the browser's address bar does not change.

You end up with the contents of a web page in the browser window that is located at a URL different than the URL in the browser's address bar. The web page originally loaded into the browser and the web page retrieved from elsewhere may be on different domains.

There are no visual clues that the web page being displayed is not at the URL in the browser's address bar unless the web page being displayed itself contains clues.

Here is how to do it using PHP.

Create a PHP web page that loads the target web page and displays it.

Make a web page with the following code. Change the URL in the second line of the code to the URL of the web page to be displayed in the browser.

<?php $URL = "http://example.com/page.html"; $base = '<base href="'.$URL.'">'; $host = preg_replace('/^[^\/]+\/\//','',$URL); $tarray = explode('/',$host); $host = array_shift($tarray); $URI = '/' . implode('/',$tarray); $content = ''; $fp = @fsockopen($host,80,$errno,$errstr,30); if(!$fp) { echo "Unable to open socked: $errstr ($errno)\n"; exit; } fwrite($fp,"GET $URI HTTP/1.0\r\n"); fwrite($fp,"Host: $host\r\n"); if( isset($_SERVER["HTTP_USER_AGENT"]) ) { fwrite($fp,'User-Agent: '.$_SERVER["HTTP_USER_AGENT"]."\r\n"); } fwrite($fp,"Connection: Close\r\n"); fwrite($fp,"\r\n"); while (!feof($fp)) { $content .= fgets($fp, 128); } fclose($fp); if( strpos($content,"\r\n") > 0 ) { $eolchar = "\r\n"; } else { $eolchar = "\n"; } $eolpos = strpos($content,"$eolchar$eolchar"); $content = substr($content,($eolpos + strlen("$eolchar$eolchar"))); if( preg_match('/<head\s*>/i',$content) ) { echo( preg_replace('/<head\s*>/i','<head>'.$base,$content,1) ); } else { echo( preg_replace('/<([a-z])([^>]+)>/i',"<\\1\\2>".$base,$content,1) ); } ?>

Put only the above into the web page. Use no HTML or BODY or other normal web page tags except as coded above.

Upload the PHP web page to your server. Load the PHP web page into your browser.

You'll notice that the URL of the PHP web page is in your browser's address bar even while a different web page, the one you specified in the second line of the above code, is displayed in the browser window.

That's the simplicity of URL masking with page retrieval software.

Preventing URL Masking With Page Retrieval Software

Put this JavaScript code somewhere in the web page to be protected will break the web page out of frames and put its own URL into the browser's address bar.

<script type="text/javascript"> var domain = "example.com"; var redirect = "http://example.com/page.html"; if( (location.hostname != domain) && (location.hostname != "www."+domain) ) { location.href = redirect; } </script>

On the second line of the above code, type the domain name of the web page to be protected. Just the domain name, not including http:// or www.

On the third line of the above code, type the URL of the web page where the browser is to be redirected to if it is displayed with URL masking by page retrieval software. This redirect URL might be the URL of the web page that is being masked or it might be the URL of some other web page, one with a "don't steal content" message, for example.

URL Masking

There can be good reasons to use URL masking. And it can be misused.

Here, you learned how to do it and also how to protect your web pages from unauthorized masking.

Will Bontrager
© Bontrager Connection, LLC

Please note: Articles on this website are presented "as is". However -

If you have a question about a CGI script, HTML, CSS, PHP, or JavaScript
Ask one of our Experts and you'll have your answer!
Click here for details.

© 1998-2001 William and Mari Bontrager
© 2001-2008 Bontrager Connection, LLC