An interesting point that I was unaware of.
http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx - Also interesting
Dinah: To the best of my knowledge, you can’t set target on a redirect. Besides, by the time you’re trying to bust it, it’s a bit late to try and trick the browser into a redirect to get around someone else’s framing attack.
Bill: Maybe Digg and Google have an agreement regarding rel=“canonical” that they’ve not bothered to tell anyone about. It’s a longshot, but possible.
I have a question, since the way article ended up is that framing is not so much bad for the websites as it is a risk to the users (thus bad rep for the site). Can external javascript fix this? For example a Greasemonkey script for Fx users?
I’m glad you’ve stopped talking about regular expressions, unix, and otehr things you don’t understand, and have gone back to masturbatory web-development garbage. It’s where you belong
You started to lead into my real fear regarding clickjacking – Ads.
The popup ads that just add a layer over your screen, with a ‘Close’ link on it?
We have no way of knowing what is really behind that close link. Sure, it is supposed to clear the ad that is blocking the content. But it COULD do anything.
I’m not the slightest but worried about framing until ads of this type go away.
A sub-optimal ‘solution’ that’s working for me
- (in firefox) go to about:config
- set the browser.frames.enabled parameter to false
done!
(yes, I know this is a tad scorched-earth and doesn’t help anyone else but seriously, frames?)
broseph:
So when Jeff posts about stuff he’s learning, it’s misinformed; when he posts about stuff he does know, it’s masturbatory?
And yet you still take your valuable time to read his blog and then bother to comment on it!
P.S. Jeff has invested hours of his time into a fairly-useful blog and a fairly-useful site. What have you ever accomplished?
“…skilled adversary that wants to frame your contnet, all bets are off”
Please fix.
Good article.
of course, the browser.frames.enabled parameter also kills iframes. d’oh
You can torture them with an alert loop, or just launch a new window, right?
if(parent.frames.length > 0) {
document.body.style.display = ‘none’;
alert(‘How dare you frame into my web site!’);
var w = window.open(location.href, ‘mySite’);
w.focus();
}
Someone should really build a client framework to get rid of all that stuff. How can I ever hope to build something significant if I have to worry about someone somewhere trying to steal my user mouse clicks?
While you may not be able to escape the frame, you can control what you display when framed. For security-critical content or UI, you can use CSS so that the content is not visible by default, then enable it with Javascript after checking that you’re not framed. This is akin to the blacklist vs. whitelist approach: rather than trying to stop the evil after you recognize it, instead be safe by default and only take the action (enable the content) once you know it’s safe. This has obvious performance trade-offs, unfortunately, so it’s mostly a technique for browsers where X-FRAME-OPTIONS or the equivalent are not available and you’ve decided protection is important.
I’ve seen almost nothing but evil exploits from IFrame use in websites. The tag should probably be deprecated and executed for the good of the web. IFrames the cancer of the web.
How about something like…
if framed
break frames
if still framed
replace content
And you replace the page’s content with something like, "You’re browsing our site through a disreputable intermediary. Please go to [url] to see this content the way it was meant to be seen and to deny these scumbags revenue.
On a completely unrelated note, anyone getting a distinct mid/late nineties vibe from this? One of the first things JavaScript was really popular for was breaking out of frames-- though then being stuck in a frame was usually the result of someone’s poor framed design linking to your page in their content frame instead of the top. Jeff’s first code segment brought back a huge rush of memories.
There is a way to figure out the parent frame’s URI and make a decision if the frame should be busted. Just use document.referrer. Also, it would be best to
if (parent.frames.length > 0 && !/^[\w-]+:\/\/www\.reddit\.com\//.test(document.referrer)) {
top.location.replace(document.location);
}
I’m not a fan of the diggbar, but don’t think it is the end of the world either. One interesting data point is that Kevin Rose didn’t seem pleased the Truveo was iframing Rev3.
http://revision3.com/diggnation/safari4/#seek=1904:1960
This was prior to diggbar. Now that he’s doing the same thing, I guess he’s changed his mind.
I think my solution to this would be not to try to bust out of the frame, but to use javascript to blank out the content of the page with a notice saying that “This page is incompatible with digg” or something.
Because it’s now “broken”, nobody links to you via digg, and nobody gets a link to see you in their frame.
You could detect if you’re being framed and then open a new window that notifies the user of the situation.
To all the users posting JS to alert('stop framing me'); This code will just annoy the end-user who will probably have no idea what a frame is.
Yes, replacing the content would not be ideal, you’d only scare users away. Probably best would be to add an info bar at the top notifying the user that since they are framing, clicks may not actually go where they think they did and to go to http://my.url/foo to ensure they are getting the authentic page.
Technologically, frame busting may be impossible, but social engineering can beat it.