can a page always refused to be iframed or be part of a frameset if javascript is enabled?

Question

When a page is iframed or included as part of a frameset, it can use Javascript to check so. (i think usually by

if (self != top) top.location.href = self.location.href;

). Can the page always "jump back out" like that when Javascript is enabled? Is there a way to not let it jump back out? (suppose my page is iframing that page).

(in another scenario, i think if we use window.open() to open the page in a new windoe, then the page almost always cannot refuse... unless they check the referrer and actually refuse to serve the page even if it is a new, standalone window).

Answer 1

As far as I know, there is only one way - a Microsoft proprietary extension to HTML that allows an iframe start tag to specify that the page should be loaded with reduced security privileges - which usually blocks JS from running in it.

Happily other browsers do not support this feature.

Answer 2

Perhaps you can check out the window.location.href property. If it matches, then let your page load. Else, stop!

Answer 3

There is some interesting work being done at Carlton University that was presented at CCS called SOMA (Same Origin Mutual Approval) which basically presents a model for content inclusion (ala iframes) where both parties must approve of the inclusion for the browser to go through with it.

Unfortunately it's still in its early stages, and although they've already developed a Firefox addon, it needs to gain traction in the web development community and native browser support before it's viable.

It's still cool to check out though: http://www.ccsl.carleton.ca/software/soma/

Answer 4

Without any special extension or hacks to the browser, the framed page can choose to break out of the frame by reloading itself into the top frame.

Personally, I feel that attempting to block a framed page from breaking out of the frame is bad netiquette.