ansaurus

Question

Frame Buster Buster ... buster code needed

Answer 1

A:

A simple, naive and probably wrong thing:

if (top != self)
{
  // super obfuscated buster-buster-buster code
  window.onbeforeunload = null;
  top.location.replace(self.location.href);
}

disclaimer:

I know nothing about web programming or Javascript

1800 INFORMATION 2009-06-06 04:40:19

does not work. try it.

Jeff Atwood 2009-06-06 04:40:39

which, I also pointed out IN THE POST BODY. Just sayin'.

Jeff Atwood 2009-06-06 04:40:55

Obviously, I didn't read that far

1800 INFORMATION 2009-06-06 04:50:46

Answer 2

+1 A:

Well, you can modify the value of the counter, but that is obviously a brittle solution. You can load your content via AJAX after you have determined the site is not within a frame - also not a great solution, but it hopefully avoids firing the on beforeunload event (I am assuming).

Edit: Another idea. If you detect you are in a frame, ask the user to disable javascript, before clicking on a link that takes you to the desired URL (passing a querystring that lets your page know to tell the user that they can re-enable javascript once they are there).

Edit 2: Go nuclear - if you detect you are in a frame, just delete your document body content and print some nasty message.

Edit 3: Can you enumerate the top document and set all functions to null (even anonymous ones)?

RedFilter 2009-06-06 04:40:24

Answer 3

+4 A:

I think you were almost there. Have you tried:

window.parent.onbeforeunload = null;
window.parent.location.replace(self.location.href);

or, alternatively:

window.parent.prevent_bust = 0;

Note: I didn't actually test this.

Jeff Meatball Yang 2009-06-06 04:48:32

I edited your code sample (the test for parent seems to fail) but the edited version DOES appear to work!

Jeff Atwood 2009-06-06 04:57:19

Cool. It's always tricky to answer with untested code - I do it to at least get the idea across - and let the poor asker debug. :)

Jeff Meatball Yang 2009-06-06 05:00:56

Won't work if parent is on a different domain, which is likely the case!

Josh Stodola 2009-06-18 14:41:56

Answer 4

+18 A:

Came up with this, and it seems to work at least in Firefox.

if(top != self) {
 top.onbeforeunload = function() {};
 top.location.replace(self.location.href);
}

Jani Hartikainen 2009-06-06 04:55:18

both Jani and Jeff's solution (once edited) are correct and work equivalently; giving Jani the accept because his solution worked right without any editing

Jeff Atwood 2009-06-06 04:59:50

This will only work if the two windows are of the same domain; a rare occurrence when you want to escape from a frame.

J-P 2009-06-06 08:17:20

If there are nested frames involved, you'll have to walk the frame chain and remove all `onbeforeunload` handlers, not just the one on top!

Christoph 2009-06-06 09:01:41

important clarification: this worked for me because the iframe src= was being set dynamically, and thus the cross-domain policy was NOT in effect. J-P is absolutely right, in a static src= this wouldn't work.

Jeff Atwood 2009-06-07 09:17:29

ok now can someone come up with a frame buster buster buster buster?

Epaga 2009-06-12 14:45:10

Jeff, are you trying to say that setting the SRC to a different domain programmatically bypasses the cross-domain policy? If so, that seems like a ridiculous bug that you certainly should not rely on.

Josh Stodola 2009-06-18 17:11:33

Additionally, if that is true, all the evil site has to do to counteract this is set the SRC on the server-side instead...?

Josh Stodola 2009-06-18 17:12:57

Answer 5

A:

In a real world scenario involving different domain names you can't touch other window contexts anyways. You don't even have read access to the location property. Am I missing something here? Or are you guys doing your tests from a single domain name?

2009-06-06 07:31:11

`window.location` is normally (at least partially) excluded from the same-origin policy, but as J-P mentioned, setting `window.onbeforeunload` across domains will most likely fail

Christoph 2009-06-06 10:05:48

Answer 6

A:

What about calling the buster repeatedly as well? This'll create a race condition, but one may hope that the buster comes out on top:

(function() {
    if(top !== self) {
     top.location.href = self.location.href;
     setTimeout(arguments.callee, 0);
    }
})();

Christoph 2009-06-06 09:20:33

Answer 7

+4 A:

Ok, so we know that were in a frame. So we location.href to another special page with the path as a GET variable. We now explain to the user what is going on and provide a link with a target="_TOP" option. It's simple and would probably work (haven't tested it), but it requires some user interaction. Maybe you could point out the offending site to the user and make a hall of shame of click jackers to your site somewhere.. Just an idea, but it night work..

2009-06-12 01:44:09

Answer 8

+32 A:

I'm not sure if this is viable or not - but if you can't break the frame, why not just display a warning. For example, If your page isn't the "top page" create a setInterval method that tries to break the frame. If after 3 or 4 tries your page still isn't the top page - create a div element that covers the whole page (modal box) with a message and a link like...

You are viewing this page in a unauthorized frame window - (Blah blah... potential security issue)

click this link to fix this problem

Not the best, but I don't see any way they could script their way out of that.

Hugoware 2009-06-18 13:21:16

I have tried this and this works. Another piece that I like about this solution is that it brings to light to the user what kind of site he/she was on before going to your content.Sample Code:if (parent.frames.length > 0) { top.location.replace(document.location); setTimeout(function() { if (parent.frames.length > 0) { document.location = "http://www.google.com"; } }, 10);}

pope 2009-06-21 02:55:25

Not only is this a good way of avoiding abuse, it's pretty friendly to sites who may want to iframe your site just to take a peek at it, though not to allow use of it. Ideally, I think a screenshot of the site's homepage should be used, with some explanation of why it can't be used in the iframe overlaid on top.

wheresrhys 2010-02-11 18:19:21

Answer 9

+6 A:

After pondering this for a little while, I believe this will show them whose boss...

if(top != self) {
  window.open(location.href, '_top');
}

Using "_top" as the target parameter for window.open will launch it in the same window.

Josh Stodola 2009-06-18 14:40:02

this doesnt help because it would just annoy the average user who have no idea wtf frames are, and they see your site, logo etc, and see that it sucks due to the alerts. you have to make it work without user intervention/annoyance.

Chii 2009-06-19 07:57:47

LOL, the alert loop was a joke dude. Lighten up.

Josh Stodola 2009-06-19 14:27:22

Answer 10

+2 A:

All the proposed solutions directly force a change in the location of the top window. What if a user wants the frame to be there? For example the top frame in the image results of search engines.

I wrote a prototype where by default all inputs (links, forms and input elements) are disabled and/or do nothing when activated.

If a containing frame is detected, the inputs are left disabled and a warning message is shown at the top of the page. The warning message contains a link that will open a safe version of the page in a new window. This prevents the page from being used for clickjacking, while still allowing the user to view the contents in other situations.

If no containing frame is detected, the inputs are enabled.

Here is the code. You need to set the standard HTML attributes to safe values and add additonal attributes that contain the actual values. It probably is incomplete and for full safety additional attributes (I am thinking about event handlers) will probably have to be treated in the same way:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
  <head>
    <title></title>
    <script><!--
      function replaceAttributeValuesWithActualOnes( array, attributeName, actualValueAttributeName, additionalProcessor ) {
        for ( var elementIndex = 0; elementIndex < array.length; elementIndex += 1 ) {
          var element = array[ elementIndex ];
          var actualValue = element.getAttribute( actualValueAttributeName );
          if ( actualValue != null ) {
            element[ attributeName ] = actualValue;
          }

          if ( additionalProcessor != null ) {
            additionalProcessor( element );
          }
        }
      }

      function detectFraming() {
        if ( top != self ) {
          document.getElementById( "framingWarning" ).style.display = "block";
        } else {
          replaceAttributeValuesWithActualOnes( document.links, "href", "acme:href" );

          replaceAttributeValuesWithActualOnes( document.forms, "action", "acme:action", function ( form ) {
            replaceAttributeValuesWithActualOnes( form.elements, "disabled", "acme:disabled" );
          });
        }
      }
      // -->
    </script>
  </head>
  <body onload="detectFraming()">
    <div id="framingWarning" style="display: none; border-style: solid; border-width: 4px; border-color: #F00; padding: 6px; background-color: #FFF; color: #F00;">
      <div>
        <b>SECURITY WARNING</b>: Acme App is displayed inside another page.
        To make sure your data is safe this page has been disabled.<br>
        <a href="framing-detection.html" target="_blank" style="color: #090">Continue working safely in a new tab/window</a>
      </div>
    </div>
    <p>
      Content. <a href="#" acme:href="javascript:window.alert( 'Action performed' );">Do something</a>
    </p>
    <form name="acmeForm" action="#" acme:action="real-action.html">
      <p>Name: <input type="text" name="name" value="" disabled="disabled" acme:disabled=""></p>
      <p><input type="submit" name="save" value="Save" disabled="disabled" acme:disabled=""></p>
    </form>
  </body>
</html>

Johan Stuyts 2009-06-19 01:47:38

The problem with this is the frame-maker could use position:absolute to place active button on top of your inactive buttons and the user will just see your webpage and think they are clicking YOUR buttons.

jmucchiello 2009-06-21 08:36:02

The warning message would still be shown, but of course it is easy to cover the link to the safe page as you suggest. But why go through all the trouble of framing my page to get people to click on a familiar button if you can simply copy the page and achieve the same effect?The code above mainly prevents clickjacking. If you show my page invisibly above another page it isn't possible to invoke actions on my site.

Johan Stuyts 2009-06-23 12:21:22

Answer 11

+6 A:

http://coderrr.wordpress.com/2009/06/18/anti-anti-frame-busting/

if (top != self) {  
  top.location.replace(document.location)  
  alert('busting you out, please wait...')  
}

2009-06-19 04:42:43

Answer 12

+4 A:

if (top != self) {
  top.location.replace(location);
  location.replace("about:blank"); // want me framed? no way!
}

2009-06-19 15:23:24

Does this work? Has it been tested?

thomasrutter 2010-04-11 10:06:57

Answer 13

+1 A:

If you add an alert right after the buster code, then the alert will stall the javascript thread, and it will let the page load. This is what StackOverflow does, and it busts out of my iframes, even when I use the frame busting buster. It also worked with my simple test page. This has only been tested in Firefox 3.5 and IE7 on windows.

Code:

<script type="text/javascript">
if (top != self){
  top.location.replace(self.location.href);
  alert("for security reasons bla bla bla");
}
</script>

Marius 2009-07-22 09:17:09

Answer 14

A:

If you want to test your buster buster buster, I made a page that frames any given URL.

Ivo Danihelka 2009-11-10 20:12:25

Answer 15

A:

setInterval and setTimeout create an automatically incrementing interval. Each time setTimeout or setInterval is called, this number goes up by one, so that if you call setTimeout, you'll get the current, highest value.

   var currentInterval = 10000;
   currentInterval += setTimeout( gotoHREF, 100 );
   for( var i = 0; i < currentInterval; i++ ) top.clearInterval( i );
   // Include setTimeout to avoid recursive functions.
   for( i = 0; i < currentInterval; i++ )     top.clearTimeout( i );

   function gotoHREF(){
           top.location.href = "http://your.url.here";
   }

Since it is almost unheard of for there to be 10000 simultaneous setIntervals and setTimeouts working, and since setTimeout returns "last interval or timeout created + 1", and since top.clearInterval is still accessible, this will defeat the black-hat attacks to frame websites which are described above.

Christopher W. Allen-Poole 2009-12-23 15:40:15

Answer 16

A:

If you look at the values returned by setInterval() they are usually single digits, so you can usually disable all such interrupts with a single line of code:

for (var j = 0 ; j < 256 ; ++j) clearInterval(j)

Robin Nixon 2010-02-21 08:57:59

Answer 17

+5 A:

FWIW, most latest-version browsers support the X-Frame-Options: deny directive, which works even when script is disabled.

IE8:
http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx

Firefox (unreleased?)
https://bugzilla.mozilla.org/show_bug.cgi?id=475530

Chrome (unreleased?)
http://blog.chromium.org/2010/01/security-in-depth-new-security-features.html

EricLaw -MSFT- 2010-03-19 18:54:06

excellent, supporting this in the browser .exe is the way to go without a doubt. When you say "most browsers", which ones specifically? I can't find good sources for anything but IE8.

Jeff Atwood 2010-03-29 21:50:59

Here's a test page: http://www.enhanceie.com/test/clickjack/. Chrome 4.1.249.1042 supports. Opera 10.50 supports. Firefox 3.6.2 does NOT yet support. Safari 4.0.3 supports.

EricLaw -MSFT- 2010-03-30 19:27:17

Firefox 3.6.9 will support it natively ( http://hackademix.net/2010/08/31/x-frame-options-finally-on-vanilla-firefox/ ) and any Firefox install with NoScript has had it since the beginning of 2009 ( http://hackademix.net/2009/01/29/x-frame-options-in-firefox/ )

ssokolow 2010-08-31 05:47:39

ansaurus

tags:

views:

answers:

Frame Buster Buster ... buster code needed

related questions