tags:

views:

831

answers:

2

Looking at a few advertising companies (DoubleClick, Atlas), I've come across the concept of iframe buster files, that are hosted on the same host as the ad publisher (one example: http://www.adopstools.com/ibusters/atlas/atlas%5Frm.htm, and there's a lot of JS code that works with that page).

I read that they're used to dynamically resize the iframe. Is that all there is to iframe busters? Does hosting them on publisher's host help with JS cross-domain restrictions?

Added: I'm referring to the use case described here: http://blog.operative.com/?tag=iframe, and not just changing the iframe source document to the top level.

+4  A: 

iframe busters are intended to break a webpage out of an iframe inside another page.

e.g. if I had an iframe in this answer with your site inside it, the role of an iframe buster on your site would be to bust your site out of my iframe and prevent me from using iframes to show your website

This is similar to frame busters, where a website may be encased in a frameset with a second frame up top with a digg bar or advertisement having been linked form a separate site. In this case, a frame buster would force the browser to display the website and only the website as intended by the author, rather than in a frame with potential advertisement or malware bundled in another frame.

In the provided example, the JavaScript is used to insert a script tag to a second JavaScript file which performs the actual frame busting. The JavaScript used in the html file linked simply obfuscates this process while loading different urls for different advertisements, each with different iframe html to insert.

The lengths gone to are likely to be a factor of a cat and mouse chase, as is common with frame busting techniques, where sites have written scripts to bust out of frames, and the companies responsible for framing the sites have written anti-frame busting scripts, so anti-anti-frame busting scripts have been written.

Tom J Nowell
I think the concept of 'iframe buster' is overused. You're referring to busting out of the iframe so that the 'iframed' page becomes the top level page.However, in ad serving, who would want the ad occupying the whole page space? For example, iframe busters are mentioned here: http://blog.operative.com/?tag=iframe
alex
updated the answer
Tom J Nowell
A: 

This is done for "take over ads". We use iframes (ADI - iframe vs ADJ - javascript) for a few reasons:

1 - they slow down the loading of your page content. 2 - they can break javascript on your page causing your page to stop functioning properly. 3 - worse case: they inject malicious code.

Using the iframe (ADI) approach the ads are isolated into their own document and can't interfere with the main web page.

However, there are cases when your marketing team wants to run take over ads. They are ads that expand outside their iframe window. For these ads the "iframe busting" approach was setup by most of the top advertising vendors. This approach requires you to host a file on your side that the ads can interact with and by pass the cross-domain restrictions of browsers.

Here is a comprehensive list of these files: http://www.adopstools.com/?section=miscellaneous&page=iframes

nopuck4you