tags:

views:

629

answers:

4
+5  Q: 

Possible to prevent our website from running inside another domain's frameset or IFrame?

We've been having an problem recently where other sites are running our e-commerce site inside a frameset where our site (with the offenders affiliate id tacked on) is the only content in a single full width frame. So essentially it looks and feels like our site with their URL at the top. We can cut off their affiliate id, which would make it pointless for them to do, but this doesn't prevent future offenders from doing the same thing until we find out about it.

Is there a generic way (through JavaScript that appears on every page perhaps?) to prevent this from happening? Note that adding targets to to all links is not feasible, but adding a snippet of JS to all pages is, since the header and footer portions are shared sitewide from a single source.

Another possibility would be at the Apache level (if there is anything we could do server side) as we do pass all requests through mod-rewrite.

Note that it would be essential to sill allow pages to load inside an IFrame if the parent page originates from our domain, as we make valid use of IFrames

+6  A: 

You can use javascript to do framebusting. I believe this still works for an iFrame.

http://www.quirksmode.org/js/framebust.html

Soviut  2009-01-20 01:20:11
A: 

Just guessing here...but what if you use javascript to call your parent window to access its document object ? You could check if its not null, and if there is a parent window (meaning a frame loaded your site), you could hide all your html through javascript...

Jobo  2009-01-20 01:20:39
+2  A: 

Take a look at this article. It offers a fairly simple solution for detecting frames and breaking out of them.

How to Break Out of Frames with JavaScript

In addition, I would take it one step further. Whenever you detect a frame, grab the affiliate ID of the offending site framer, and push that to the server with AJAX along with the URL they are using. Then, either automatically or manually, you can verify that they are framing your site, and cancel their affiliate code one at a time.

Lusid  2009-01-20 01:21:31
+4  A: 

I've heard of solutions to this problem being referred to as a "frame popper script". A quick google comes up with this thread. Looks like this is one of the simplest:

if (window != top) top.location.href = location.href;
Greg Hewgill  2009-01-20 01:27:32
That would be quite nifty, the hacking site trying to 'Iframe' your site, would be redirected to your site in the parent window :)
Jobo  2009-01-20 01:30:02
you can also write this as `if(top !== self) top.location.href = self.location.href` - same thing, but more symmetric
Christoph  2009-01-20 01:50:22

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript