We Done Been ... Framed!

In my previous post, Url Shorteners: Destroying the Web Since 2002, I mentioned that one of the "features" of the new generation of URL shortening services is to frame the target content.

This is a companion discussion topic for the original blog entry at: http://www.codinghorror.com/blog/2009/06/we-done-been-framed.html

Frames themselves are evil. Many corporate firewalls prevent the display of pages that are embedded in a frame.

It would be good if the capability to create a frame was removed from the html markup.

You could open a new window with the content and redirect the framed page to about:blank. Mind you, it’s user-hostile to bust a friendly frame like Digg’s; I would be inclined to allow users read-only access to the page if it thinks it’s being framed. And give them a big BUST button if they want to upvote or comment or change their preferences.

(Heh, you could make the page read-only by superimposing an invisible frame.)

as you say, you cannot reliantly to bust out of a “malign” frame. But you can detect this condition and notify (or annoy) the user, right? For example:

if (top.location != document.href) { alert(“stop framing me!”); }

Sort of final effort nuking if the frame busting didn’t work…


To rid the frame busting busting JS, couldn’t you just over ride the window.onbeforeunload function with an empty function? Then the counter would never get incremented and you could leave the page.


Cross-domain security in the browser prevents you from doing this. You’d be modifying code on another domain.

You could always replace your content with [goatse|a page full of ads|a courteous notice] if the page is framed.

You could always replace your content with [goatse|a page full of ads|a courteous notice] if the page is framed.

Not sure what happened there, but the first time I submitted my comment I got:

Your comment submission failed for the following reasons:
Publish failed: Renaming tempfile ‘C:\codinghorror\blog\archives\001277.html.new’ failed: Renaming ‘C:\codinghorror\blog\archives\001277.html.new’ to ‘C:\codinghorror\blog\archives\001277.html’ failed: Permission denied

But it seems the comment actually got there. Caching problems?

I would absolutely love a Firefox extension that replaces all third-party frames with a single link to the URL in question with rel="_top" set.

I was thinking like Ilia in this case. Why not hide all your content and then show only a message like:

You are being framed to this page, please go to
to see the real content

in this case even if the overriding was overridden you could still detect it and try to get the user to go to the original content. Of course, all of this is dependent on the client browser having javascript enabled. If not then the frame stays no matter what you do.

Would sending a X-FRAME-OPTIONS HTTP header help?


Currently only supported by IE8 and Safari 4, but other browsers will surely follow.

The clickjacking issue is considerably more complex than most realize:


particularly since NO browser can reliably unframe through JavaScript, despite these claims…


I find it quite amusing that IE is singled out (and to be fair, they have that really dumb directive) when framebusting is NEVER reliable in ANY browser.

In Winforms, if you set opacity to zero, the form effectively isn’t there anymore and clicks go through to what ever is beneath - this could be something that browsers could look at doing… though setting to ‘nearly’ invisible would probably break that.

No more orange?


Why do people do this!

We Done Been… Framed!
Is that english? I can’t make sense of the title, am I missing some obscure reference?

Or you could just use NoScript, (http://noscript.net/) like all the cool kids.

(Punchline: I had codinghorror.com blocked, and had to allow it to get recaptcha to work.)

Except that according to Google the link=canonical can’t be used to suggest a page on a different domain, and will be ignored.

Can rel=“canonical” be used to suggest a canonical url on a completely different domain?
No. To migrate to a completely different domain, permanent (301) redirects are more appropriate. Google currently will take canonicalization suggestions into account across subdomains (or within a domain), but not across domains. So site owners can specify a canonical page on www.example.com from a set of pages on example.com or help.example.com, but not on example-widgets.com.

Could you detect framing, try to bust it, and if that doesn’t work then redirect your way out of the frame? And if not, why not?