javascript - Frame breaking only cross-domain but not for iframes from the same origin? -
this question asked , answered correctly, there did not seem solution posted.
if site has iframes, , 1 wants prevent being enclosed in frame different domain, simplistic frame-busting not useful:
<script>if (top != self) top.location = location</script>
however, since cross-frame scripting other domains should generate exceptions, seems work inside iframe:
<script> try { if (window.document.domain != top.document.domain) { // throws exception throw "you naughty puppy!"; // should not ever here, right? } } catch () { top.location = "/error/naughtypuppy"; } </script>
the if
above should enough on own prevent cross-domain framing of iframes. should ever return false
or throw exception, there anyway script reach throw
statement in browser?
would sufficient prevent framing other domains?
<script> try { var bogus = top.document.domain; } catch () { top.location = "/error/naughtypuppy"; } </script>
edit: similar solution hinted @ here, 1 not rely on parent frame include frame-busting code. detect when iframe cross-domain, bust out of it . same solution "try access other frame , bust if exception occurs."
that code vulnerable form of attack leverages "onbeforeunload" feature. parent (evil) page sets interval handler (which invulnerable code, due domain difference) , "onbeforeunload" handler. second handler updates global variable (also invulnerable) record fact window "under attack", , interval timer (running fast enough should able become active before browser has completed outer window update your legit url) pops , updates window.location
point attacker-controlled url returns no-op 204 response. browser forgets http request , "updates" window newer transaction instigated interval handler instead.
here's older question: frame buster buster ... buster code needed
Comments
Post a Comment