Difference between revisions of "Framekiller"
Joey66699912 (talk | contribs) (Created page with "A framekiller (or framebuster or framebreaker) is a piece of JavaScript code that doesn't allow a Web page to be displayed within a frame. A frame is a subdivision of a Web brows…") |
(Revert major vandalism) |
||
(2 intermediate revisions by 2 users not shown) | |||
Line 2: | Line 2: | ||
The typical source code for a framekiller script is: | The typical source code for a framekiller script is: | ||
− | + | ||
<script type="text/javascript"> | <script type="text/javascript"> | ||
if(top != self) top.location.replace(location); | if(top != self) top.location.replace(location); |
Latest revision as of 15:33, 12 April 2015
A framekiller (or framebuster or framebreaker) is a piece of JavaScript code that doesn't allow a Web page to be displayed within a frame. A frame is a subdivision of a Web browser window and can act like a smaller window. This kind of script is often used to prevent a frame from an external Web site being loaded from within a frameset without permission.
The typical source code for a framekiller script is:
<script type="text/javascript">
if(top != self) top.location.replace(location);
</script>
There are many variations of this script. This example is cross-browser compatible, avoids depreciated objects, and uses replace which preserves the user's back-button. Comparing object references, top, self and location directly is slightly more efficient, and succinct.
Framekiller Killers
The above framekiller can be prevented from working with the following JavaScript along with a server which responds with a HTTP/1.1 204 No Content, as discovered in this blog
. Just place the following code in the top frame. It works because in most browsers a 204 HTTP response will do nothing, meaning it will leave us on the current page. But the request attempt will override the previous frame busting attempt, rendering it useless.
var prevent_bust = 0;
// Event handler to catch execution of the busting script. window.onbeforeunload = function() { prevent_bust++ };
// Continuously monitor whether busting script has fired. setInterval(function() { if (prevent_bust > 0) { // Yes: it has fired. prevent_bust -= 2; // Avoid further action. // Get a 'No Content' status which keeps us on the same page. window.top.location = 'http://server-which-responds-with-204.com'; } }, 1);
Alternative Solution
An alternative choice is to allow the user to determine whether to let the framekiller work, as discovered by the Framekiller Killer
.
var framekiller = true; window.onbeforeunload = function() { if(framekiller) { return "..."; // any message that helps user to make decision } };
and the code below should be added after the frame tag:
//"my_frame" should be changed according to the real id of the frame in your page document.getElementById("my_frame").onload = function() { framekiller = false; };
Limitations
This client-side JavaScript solution relies on the end-user's browser enforcing their own security. This makes it a beneficial, but unreliable, means of disallowing your page to be embedded in other pages. The following situations may render the script above useless:
* The user agent does not support JavaScript. * The user agent supports JavaScript but the user has turned support off. * The user agent's JavaScript support is flawed or partially implemented. * The user agent's behavior is modified by a virus or plug-in (possibly without the user's knowledge) in a way that undermines the framekiller script.
In 2010 a paper was published highlighting limitations of current frame-busting techniques and proposing improved version:
<style> html{display : none ; } </style> <script> if( self == top ) { document.documentElement.style.display = 'block' ; } else { top.location = self.location ; } </script>