Framekiller

From Wikipedia, the free encyclopedia
Jump to: navigation, search
Gnome globe current event.svg
 This article's factual accuracy may be compromised due to out-of-date information. Please update this article to reflect recent events or newly available information. (November 2012)

A framekiller (or framebuster or framebreaker) is a piece of JavaScript code that prevents a Web page from being displayed within a frame. A frame is a subdivision of a Web browser window and can act like a smaller window. This kind of script is often used to prevent a frame from an external Web site being loaded from within a frameset without permission, often as part of clickjacking attack.

Contents

First framekillers [edit]

Historically, the first framekiller scripts were as simple as this:

<script type="text/javascript">
  if(top != self) top.location.replace(location);
</script>

The logic here was to display the page, but check if the top location is the same as the current page, and replace the top by current if not.

There were many variations of this script. This example is cross-browser compatible, avoids deprecated objects, and uses replace which preserves the user's back-button. Comparing object references, top, self and location directly is slightly more efficient, and succinct.

Modern framekiller [edit]

In 2010 Gustav Rydstedt, Elie Bursztein, Dan Boneh and Collin Jackson published a paper that highlighted the limitations of current frame-busting techniques and proposed the following improved version:[1]

<style> html{display : none ; } </style>
<script>
   if( self == top ) {
       document.documentElement.style.display = 'block' ; 
   } else {
       top.location = self.location ; 
   }
</script>

The logic of this script was to disable presentation of the page by default and enable it only in top location.

Framekiller killers [edit]

Simple framekillers can be prevented from working with the following JavaScript along with a server which responds with a HTTP/1.1 204 No Content, as discovered in this blog. Just place the following code in the top frame. It works because in most browsers a 204 HTTP response will do nothing, meaning it will leave us on the current page. But the request attempt will override the previous frame busting attempt, rendering it useless.

var prevent_bust = 0;
 
// Event handler to catch execution of the busting script.
window.onbeforeunload = function() { prevent_bust++ };
 
// Continuously monitor whether busting script has fired.
setInterval(function() {
  if (prevent_bust > 0) {  // Yes: it has fired. 
    prevent_bust -= 2;     // Avoid further action.
    // Get a 'No Content' status which keeps us on the same page.
    window.top.location = 'http://server-which-responds-with-204.example.com/';
  }
}, 1);

Alternative solutions [edit]

An alternative choice is to allow the user to determine whether to let the framekiller work.

var framekiller = true;
window.onbeforeunload = function() { 
  if(framekiller) {
    return "...";  // any message that helps user to make decision
  }
};

and the code below should be added after the frame tag:

//"my_frame" should be changed according to the real id of the frame in your page 
document.getElementById("my_frame").onload = function() { 
  framekiller = false;
};

Framekiller limitations [edit]

Client-side JavaScript solution relies on the end-user's browser enforcing their own security. This makes it a beneficial, but unreliable, means of disallowing your page to be embedded in other pages. The following situations may render the script above useless:

  • The user agent does not support JavaScript.
  • The user agent supports JavaScript but the user has turned support off.
  • The user agent's JavaScript support is flawed or partially implemented.
  • The user agent's behavior is modified by a virus or plug-in (possibly without the user's knowledge) in a way that undermines the framekiller script.

DIV frames [edit]

Gnome-searchtool.svg
 This article's factual accuracy is disputed. Please help to ensure that disputed statements are reliably sourced. See the relevant discussion on the talk page. (June 2012)

A malicious site may also use a <div> element and javascript to "frame" the content. These are not easily amenable to javascript remedies. Such attempts end up incorporating the framed documents headers and tags such as <!doctype> <html> <head> <meta> <link> <title> <body> <script>, etc. Though this may cause the browser to run in quirks mode, the page may render with a frame.

In general, the javascript used to generate such a page would require a unique tag or id to be added to the document. This tagged element, such as a div with a unique id, would behave as the more conventional frame. Using CSS to set the that id to {display:block} may be of help prevent displaying of ones page inside the frame.

See also [edit]

  • Clickjacking - discusses more sophisticated methods to prevent embedding in a frame, such as X-Frame-Options header

References [edit]

  1. ^ G. Rydstedt, E. Bursztein, D. Boneh, C. Jackson (2010). "Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular sites". 3rd Web 2.0 Security and Privacy workshop. IEEE. 
Retrieved from "http://en.wikipedia.org/w/index.php?title=Framekiller&oldid=556083595"