tags:

views:

857

answers:

2
+8  Q: 

Why do frame breakers work cross-domain, and can you conditionally use frame breakers?

I've been investigating frame breaking code recently and have come across some really bizarre behavior related to the same origins policy that I am having trouble understanding.

Suppose I've got a page Breaker.html on domain A, and a page Container.html on domain B. The example frame breaker code would go into Breaker.html, like below:

if (top !== self) top.location.href = self.location.href;

This will successfully break Breaker.html out of Container.html, but I don't understand why it should. From my reading of the same origins policy, top.location shouldn't be accessible at all, since Container.html is on a different domain than Breaker.html. Even weirder, it appears that top.location write-only:

// Fails if Container.html is on a different domain than Breaker.html
alert(top.location);

This is problematic to me because I'm trying to write code that allows my page to be in an iframe, but only if it's on the same domain as its parent (or is on a configured allowable domain) . However, it seems to be impossible to determine this, since the same origins policy denies me access to the parent's location.

So I've got two questions, basically:

  1. Why does the above frame breaker code work at all?

  2. Is there any way to break frames conditionally, or is the only check one can do is whether top !== self? (In particular, I want to be able to read the domain, so that I can provide a list of allowable domains; simply checking whether I'm in the same domain or not would not be ideal.)

+1  A: 

FOr your answer to number 1: In terms of security, there is a big difference between read access and write access. Being able to read top.location.href is a security problem. Being able to write to top.location.href is not.

As for the answer to your question, I don't know javascript well enough to be sure, but one idea would be to assumine that if reading top.location fails (check for exceptions), it is on a different domain.

Brian  2009-06-04 18:22:14
"The same origin policy prevents a document or script loaded from one origin from getting **or setting** properties of a document from another origin." - this is where I get hung up. Also, I thought about doing #2, but I also want to allow admins to specify which domains it would be okay to be framed within - I will reword question.
Daniel Lew  2009-06-04 18:26:24
Writing to top.location.href doesn't set any properties of a foreign document; instead, it unloads the previous document and loads a new one in its place.
eswald  2009-06-04 18:44:46
@Daniel: My comment about the difference was intended to be from a pragmatic perspective, not from a technical specification perspective. My point was that it was not a legitimate security problem and thus was legal, rather than suggesting that the specification said it was OK.
Brian  2009-06-05 00:30:46
A: 

The answer to question 1 is that the equality operator can be used against top.location.href for legacy reasons. Breaker.html cannot read top.location.href but it can compare it with another value.

The answer to question 2 then becomes no, you must use the !== to part because you won't be able to do a substring on top.location.href from a cross domain breaker.html.

I could be wrong but that's my understand of the current iframe world.

Adam Nelson  2009-06-04 19:07:26

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript