tags:

views:

169

answers:

5
+1  Q: 

Block iframe from setting parent.location (prevent framebusting)

I have a website on my own domain where i include iframes to other sites on other domains for quick preview purposes.

The problem is that some websites has framebusting code that redirects the user from my site.

How can i stop this. Even not showing the iframe at all would be better than the redirect in the case of a framebuster.

Shouldnt this redirect be blocked by the same site origin protection btw?

Update

Ok, so it seems to be impossible to prevent it, but is it possible to just dont display the frame at all instead.

I tried with a double frame aproach: A and B is on my site, B contains C and when B gets window.onbeforeunload it sends a message to A to remove B. This didn't work either as the frames seem to have access all the way to the top window and not only the parent.

window.onbeforeunload works for blocking the redirect btw but then you have to display a dialog.

+5  A: 

This can't be done because you can't access the DOM of the page in the iframe if it violates the same-origin policy.

Just don't do it. If people have framebusting code, they clearly don't want their page to be in a frame. Respect that.

Aillyn  2010-09-19 17:50:48
A: 

How can i stop this.

You can't. If you could, it would defeat the purpose of having frame-busting code in the first place.

Shouldnt this redirect be blocked by the same site origin protection btw?

That only protects you from accessing/modifying the DOM (i.e. document object) of a page. Frame-busting code only uses the window object to both detect frames and redirect to another page.

casablanca  2010-09-19 17:54:19
A: 

It's a cat-and-mouse game, but framebusting can be defeated.

According to researchers (PDF) from Stanford University and Carnegie Mellon University, frame-busting isn’t as effective at preventing clickjacking as hoped. An analysis of the Top 500 Websites ranked by Alexa found all of the frame busting implementations could be circumvented. Some of the circumventions were browser-specific, while others worked across all browsers, the researchers found.

The original article on eweek;
The research paper from Stanford (PDF)

quantumSoup  2010-09-19 18:07:41
A: 

If all you want is a preview of the website there are a number of services out there that do that. I have not used any, but a quick Google search finds this one

http://www.thumbshots.com/

jhanifen  2010-09-19 18:50:14
A: 

How about running a test in a popup? Give it 20 seconds, if you still have control of the popup (i.e. the frame didn't change the document.url) then load it in a new frame (?) and display to the user. Otherwise, don't show a frame at all. It's not foolproof but could work.

Tim Green  2010-09-19 18:54:08

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript