tags:

views:

184

answers:

3
Q: 

prevent kill frame

instead of asking how to kill frame. i interested to know what technique can be used to prevent an iframe inside a page from been killed by "frame killer"

+2  A: 

Happily, there is nothing that works outside of Internet Explorer (which lets JS be disabled in iframes as a security feature).

If the author of a site doesn't want their pages framed, then that is their choice.

David Dorward  2009-08-24 10:10:54
+5  A: 

There is always, unfortunately a way to get round frame killers, because of the way they work. (The site that is being framed can usually, however, display a warning).

See Jeff Atwood's "disturbing revelation".

A few choice excerpt:

If an evil website decides it's going to frame your website, you will be framed. Period. Frame-busting is nothing more than a false sense of security; it doesn't work.

Frame busting code (from the linked Stack Overflow challenge):

<script type="text/javascript">
    var prevent_bust = 0  
    window.onbeforeunload = function() { prevent_bust++ }  
    setInterval(function() {  
      if (prevent_bust > 0) {  
        prevent_bust -= 2  
        window.top.location = 'http://server-which-responds-with-204.com'  
      }  
    }, 1)  
</script>

This code does the following:

  • increments a counter every time the browser attempts to navigate away from the current page, via the window.onbeforeonload event handler

  • sets up a timer that fires every millisecond via setInterval(), and if it sees the counter incremented, changes the current location to a server of the attacker's control

  • that server serves up a page with HTTP status code 204, which does not cause the browser to nagivate anywhere

Jon Hadley  2009-08-24 10:51:51
A: 

I don't get it. I tried to iframe a page with framekiller using the iframekiller killer as described (I put in in the head section of a blog, it just load up 'http://server-which-responds-with-204.com' all the time.

I even tried to make an empty blog (nothing in head and body) using blogger.com and replace 'server-which-responds-with-204' with it, it just load the empty blog.

Am I missing something here? What exactly am I suppose to do with http 204 thingy?

Mr X  2009-12-04 12:52:04

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?