Kirk Jackson's Page of Words - Frame busting in Javascript

Monday, October 06, 2008

Some of the common hacks use an inner frame to host your site, while the attacker controls the surrounding frame.

Using the following Javascript code, you can make sure your site is running the top frame in the browser:

        <script type="text/javascript">
          
          if (parent.frames.length > 0) {
            parent.location.replace(self.document.location);
          }
          
        </script>

The code will reload the current page in the parent window if it is within a frameset.

Kirk

Web

posted on Monday, October 06, 2008 10:55:17 PM (New Zealand Standard Time, UTC+12:00)

Thursday, October 16, 2008 2:33:41 PM (New Zealand Standard Time, UTC+12:00)

As a note to this - Adobe use the following framebusting code on their settings page:

<script type="text/javascript">
// <![CDATA[
if (top!=self){
top.location.href=self.location.href;
}
// ]]>
</script>

There's more than one way to skin a cat!

Kirk

Kirk Jackson | kirkAT NOSPAMpageofwords dot com

Thursday, July 16, 2009 11:23:31 AM (New Zealand Standard Time, UTC+12:00)

location.href doesn't work in all browsers and isn't recommended out in the real world. the first code snippet is much more reliable

Brandon | brandonmblackAT NOSPAMgmail dot com

Thursday, July 16, 2009 5:35:07 PM (New Zealand Standard Time, UTC+12:00)

Thanks Brandon, that's good to know.

Kirk

Kirk Jackson | kirkjAT NOSPAMparadise dot net dot nz

Comments are closed.