tags:

views:

200

answers:

2
+2  Q: 

Selective frame-busting Javascript

At some point last month, a random website decided to serve my company's website in a frame. Ignoring the question of "what are they doing?" for a minute, I used some simple frame-buster Javascript:

<script type="text/javascript">
if (top.location != location) {
    top.location.href = document.location.href ;
}
</script>

That part works great. The problem is, not all frames are bad: if someone comes to the site via ow.ly, we don't want to destroy their frame. I've tried a few things, either to whitelist ow.ly or to blacklist the offending website, but I can't get around the cross-frame security long enough to search top.location. Is there anything I can only block some frames, based on the URL?

To clarify, I realize that I'm unlikely to win the frame-busting arms race. I'm fine with that. What I'm trying to do is establish a whitelist of sites that are allowed to show our site in a frame.

+1  A: 

Take a look at this article by Jeff Atwood: http://www.codinghorror.com/blog/archives/001277.html

Alex  2009-09-17 19:19:32
I've seen the post. What's it have to do with getting the URL of `top.location`? If random-frames-dude decides to counter my frame-buster, then I'll deal with that. Until then, I just need to read `top.location`.
ojrac  2009-09-17 19:24:17
it's relevant because it's evident that you would be entering an arms race you cannot win - the best thing you can do is to nuke the content as per the linked artcle (http://coderrr.wordpress.com/2009/02/13/preventing-frame-busting-and-click-jacking-ui-redressing/)
annakata  2009-09-17 19:39:47
-1. I have no intention of entering the arms race. I want to raise the barrier to entry with some easy JavaScript. The important part of what I want to do is not hosing legitimate uses like ow.ly and digg.
ojrac  2009-09-17 20:17:44
+2  A: 

Employ some help from your back-end. You could check the HTTP referrer header and then enable your frame-buster accordingly.

Ates Goral  2009-09-17 19:28:37
+1: This is the best option I've seen, assuming you genuinely can't get that information on the client side. I'll wait to accept for a day or two, in case there's a way.
ojrac  2009-09-17 20:23:59
Frame-buster vs frame-buster-buster war is a horrific waste of time. Find something to do that will actually have a positive impact on your user base.
Alex  2009-09-23 22:40:05

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript