Posted By

bcmoney on 07/27/13


Tagged

iframe js php ie frame-busting


Versions (?)

3 approaches to prevent frame-busting


 / Published in: JavaScript
 

URL: http://bcmoney-mobiletv.com/blog/2007/11/01/leaving-sony-and-japan/

Three methods are applied to prevent frame-busting or session-jacking:

1.) SECURITY="RESTRICTED" attribute on the iFrame (works only in IE)

2.) If domain is one of a list of "frame-buster" external sites, use JavaScript to prevent the default window "unload" event from firing, which would be what most JS-based redirect/frame-busts wait for

3.) Passing raw HTML from request through "redirect.php" as a PHP proxy to attempt to strip any blocking/frame-busting code (the "url" parameter should be the desired URL you'd like to link to in the "src" attribute directly, in a normal iFrame embed)

See it in action on my blog where I'm embedding a photo album via Internet Archive and the now defunct Multiply (both sites have their own frame-bust that needs to be overcome)

  1. <iframe width="100%" height="1800" src="http://YOURSITE.com/redirect.php?url=THEIRSITE.com/interesting-page.thml" scrolling="auto" SECURITY="RESTRICTED"></iframe>
  2.  
  3. <script type="text/javascript">// <![CDATA[
  4. var prevent_bust = Math.random() * 3000; // Create a random seed value, making it almost impossible to determine what is being tested for
  5. // enclose everything in a function, so that it cannot be addressed
  6. function iniFunc(init) {
  7. // The function is no longer in scope of the main window.
  8. function onbeforeunload() { prevent_bust++ }
  9. window.onbeforeunload = onbeforeunload;
  10. setInterval( function() {
  11. // make sure the function was not deleted.
  12. if(window.onbeforeunload != onbeforeunload) {
  13. prevent_bust = init + 1;
  14. window.onbeforeunload = onbeforeunload;
  15. }
  16. if (prevent_bust > init) { // All comparison is to the random seed.
  17. prevent_bust -= 2;
  18. window.top.location = document.location;
  19. // Unfortunately, you have absolutely no idea which website caused the incrementation, so you cannot replace it with a link!
  20. // You might try to simply ignore it and just use the iframe as is -- theoretically, they are no longer able to bust this frame
  21. }
  22. }, 1 );
  23. };
  24.  
  25. var thisURL = top.location.replace('http://','').replace('https://','').replace('www.','');
  26. if (thisURL.indexOf('EXTERNALSITE.com') === -1 || thisURL.indexOf('EXTERNALSITE.tv') === -1 || thisURL.indexOf('EXTERALSITE-CDN.com') === -1) {
  27. iniFunc( prevent_bust );
  28. }
  29. // ]]>
  30. </script>

Report this snippet  

You need to login to post a comment.