javascript - Frame breaking only cross-domain but not for iframes from the same origin? -


this question asked , answered correctly, there did not seem solution posted.

if site has iframes, , 1 wants prevent being enclosed in frame different domain, simplistic frame-busting not useful:

<script>if (top != self) top.location = location</script> 

however, since cross-frame scripting other domains should generate exceptions, seems work inside iframe:

<script> try {   if (window.document.domain != top.document.domain) {   // throws exception     throw "you naughty puppy!"; // should not ever here, right?   } } catch () {   top.location = "/error/naughtypuppy"; } </script> 

the if above should enough on own prevent cross-domain framing of iframes. should ever return false or throw exception, there anyway script reach throw statement in browser?

would sufficient prevent framing other domains?

<script> try {   var bogus = top.document.domain; } catch () {   top.location = "/error/naughtypuppy"; } </script> 

edit: similar solution hinted @ here, 1 not rely on parent frame include frame-busting code. detect when iframe cross-domain, bust out of it . same solution "try access other frame , bust if exception occurs."

that code vulnerable form of attack leverages "onbeforeunload" feature. parent (evil) page sets interval handler (which invulnerable code, due domain difference) , "onbeforeunload" handler. second handler updates global variable (also invulnerable) record fact window "under attack", , interval timer (running fast enough should able become active before browser has completed outer window update your legit url) pops , updates window.location point attacker-controlled url returns no-op 204 response. browser forgets http request , "updates" window newer transaction instigated interval handler instead.

here's older question: frame buster buster ... buster code needed


Comments

Popular posts from this blog

c++ - Convert big endian to little endian when reading from a binary file -

C#: Application without a window or taskbar item (background app) that can still use Console.WriteLine() -

unicode - Are email addresses allowed to contain non-alphanumeric characters? -