However, is there anyway to know the top level domain of the site hosting the iframe?

Nothing reliable.

Presumably this is not sent in the http request for the iFrame? Or is it, I couldn’t see it?

It might be sent in the referer

Or do you need to send the domain from javascript?

If you want to fetch it from the framed page, you will be blocked by the same origin policy.

If you want to sent it from the framing page, you will be putting it in the query string and you can’t trust it because it can be set to whatever the person writing the framing page likes.

There is also the X-Frame-Options header (but that has limited browser support).

The most reliable solution I can think of is:

1. Require the origin to be specified in the query string used to load the frame
2. Check the referer. If it doesn’t match your white-list and is not blank, redirect to a page that is blank except for a link to your site with target="_top" and some JavaScript that top.location = "your site"
3. Check that the origin specified in the query string is on your whitelist, if it isn’t act in the same way as a rejected step 2
4. Output an X-Frame-Options header that limits the framing to the specified origin

That is likely to catch enough browsers to discourage the framing site from framing your site.