I'm searching for a guide that describes how to implement a working frame buster that also deals with people that dont have JS activated in their browser.
I read this very good question but i'm absolutely not interested in any advice like "dont do that yourself" or "maybe try...". i want to see a paper, with a step to step guide explaining every "why" (without maybe's and wihtout guesses). Academic papers prefered.
Can anyone post the link to the de-facto holy-grail paper of doing that?
thanks,
To be honest I think what you are describing is impossible. Correct me if i am wrong but this seems like a violation of the same origin policy. This is the "de-facto Holdy-Grail" paper of what browsers are allowed to do: http://code.google.com/p/browsersec/wiki/Main Make sure to read section 2.
*EDIT: ClickJacking is an attack that bypasses aspects of the same origin policy in un-patched web browsers. Trying to prevent all attacks that can come from unpatched browsers is a massive undertaking epically considering that person is most likely already hacked and apart of a BotNet. If you are really concerned about vulnerable web browsers I recommend blocking IE6 and below.
On IE8 you have http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx (So a site or a page that did not want to be iframe would set response header X-FRAME-OPTIONS: DENY). I also tested this with Firefox 3.5.x at some point and it worked.
Otherwise the linked page (http://coderrr.wordpress.com/2009/02/13/preventing-frame-busting-and-click-jacking-ui-redressing/) pretty accurately describes the issue and how many major sites deal with this today for some subset of their pages since a large number of users still are on IE6, etc.