|
|
| Line 1: |
Line 1: |
| − | A framekiller (or framebuster or framebreaker) is a piece of JavaScript code that doesn't allow a Web page to be displayed within a frame. A frame is a subdivision of a Web browser window and can act like a smaller window. This kind of script is often used to prevent a frame from an external Web site being loaded from within a frameset without permission. | + | A framekiller (or framebuster or framebreaker) is a piece of JavaScript code that doesn't allow a Web page to be displayed within a frame. A frame is a suEJFKDSNFD |
| − | | |
| − | The typical source code for a framekiller script is:
| |
| − | | |
| − | <script type="text/javascript">
| |
| − | if(top != self) top.location.replace(location);
| |
| − | </script>
| |
| − | | |
| − | There are many variations of this script. This example is cross-browser compatible, avoids depreciated objects, and uses replace which preserves the user's back-button. Comparing object references, top, self and location directly is slightly more efficient, and succinct.
| |
| − | == Framekiller Killers ==
| |
| − | | |
| − | The above framekiller can be prevented from working with the following JavaScript along with a server which responds with a HTTP/1.1 204 No Content, as discovered in this blog
| |
| − |
| |
| − | . Just place the following code in the top frame. It works because in most browsers a 204 HTTP response will do nothing, meaning it will leave us on the current page. But the request attempt will override the previous frame busting attempt, rendering it useless.
| |
| − | | |
| − | var prevent_bust = 0;
| |
| − | | |
| − | // Event handler to catch execution of the busting script.
| |
| − | window.onbeforeunload = function() { prevent_bust++ };
| |
| − | | |
| − | // Continuously monitor whether busting script has fired.
| |
| − | setInterval(function() {
| |
| − | if (prevent_bust > 0) { // Yes: it has fired.
| |
| − | prevent_bust -= 2; // Avoid further action.
| |
| − | // Get a 'No Content' status which keeps us on the same page.
| |
| − | window.top.location = 'http://server-which-responds-with-204.com';
| |
| − | }
| |
| − | }, 1);
| |
| − | | |
| − | == Alternative Solution ==
| |
| − | | |
| − | An alternative choice is to allow the user to determine whether to let the framekiller work, as discovered by the Framekiller Killer
| |
| − |
| |
| − | .
| |
| − | | |
| − | var framekiller = true;
| |
| − | window.onbeforeunload = function() {
| |
| − | if(framekiller) {
| |
| − | return "..."; // any message that helps user to make decision
| |
| − | }
| |
| − | };
| |
| − | | |
| − | and the code below should be added after the frame tag:
| |
| − | | |
| − | //"my_frame" should be changed according to the real id of the frame in your page
| |
| − | document.getElementById("my_frame").onload = function() {
| |
| − | framekiller = false;
| |
| − | };
| |
| − | | |
| − | == Limitations ==
| |
| − | | |
| − | This client-side JavaScript solution relies on the end-user's browser enforcing their own security. This makes it a beneficial, but unreliable, means of disallowing your page to be embedded in other pages. The following situations may render the script above useless:
| |
| − | | |
| − | * The user agent does not support JavaScript.
| |
| − | * The user agent supports JavaScript but the user has turned support off.
| |
| − | * The user agent's JavaScript support is flawed or partially implemented.
| |
| − | * The user agent's behavior is modified by a virus or plug-in (possibly without the user's knowledge) in a way that undermines the framekiller script.
| |
| − | | |
| − | In 2010 a paper was published highlighting limitations of current frame-busting techniques and proposing improved version:
| |
| − | | |
| − | <style> html{display : none ; } </style>
| |
| − | <script>
| |
| − | if( self == top ) {
| |
| − | document.documentElement.style.display = 'block' ;
| |
| − | } else {
| |
| − | top.location = self.location ;
| |
| − | }
| |
| − | </script>
| |
