tags:

views:

9234

answers:

5
+5  Q: 

How to prevent IFRAME from redirecting top-level window

Some websites have code to "break out" of IFRAME enclosures, meaning that if a page A is loaded as an IFRAME inside an parent page P some Javascript in A redirects the outer window to A.

Typically this Javascript looks something like this:

<script type="text/javascript">
  if (top.location.href != self.location.href)
     top.location.href = self.location.href;
</script>

My question is: As the author of the parent page P and not being the author of the inner page A, how can I prevent A from doing this break-out?

P.S. It seems to me like it ought to be a cross-site security violation, but it isn't.

A: 

By doing so you'd be able to control any action of the framed page, which you cannot. Same-domain origin policy applies.

Diodeus  2008-12-15 20:17:59
I'm not asking to control what's inside the IFRAME. I'm asking to *prevent* what's inside the IFRAME from controlling me.
Jason Cohen  2008-12-15 20:20:19
+4  A: 

try using the onbeforeunload property, which will let the user choose whether he wants to navigate away from the page.

The IFrames do not allow cross domain access.

fasih.ahmed  2008-12-15 20:21:35
+1  A: 

Since the page you load inside the iframe can execute the "break out" code with a setInterval, onbeforeunload might not be that practical, since it could flud the user with 'Are you sure you want to leave?' dialogs.

There is also the iframe security attribute which only works on IE & Opera

:(

 2009-01-22 12:30:01
A: 

In my case I want the user to visit the inner page so that server will see their ip as a visitor. If I use the php proxy technique I think that the inner page will see my server ip as a visitor so it is not good. The only solution I got so far is wilth onbeforeunload. Put this on your page:

<script type="text/javascript">
    window.onbeforeunload = function () {                       
         return "This will end your session";
    }
</script>

This works both in firefox and ie, thats what I tested for. you will find versions using something like evt.return(whatever) crap... that doesn't work in firefox.

radu  2010-01-26 12:12:37
A: 

I've found some useful hacks on this:

http://stackoverflow.com/questions/1794974/using-js-how-can-i-stop-child-iframes-from-redirecting-or-at-least-prompt-users

http://www.codinghorror.com/blog/2009/06/we-done-been-framed.html

http://coderrr.wordpress.com/2009/02/13/preventing-frame-busting-and-click-jacking-ui-redressing/

artur  2010-03-22 22:53:06

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?