Wednesday, February 27, 2013

Frame busting

More and more websites don't want them to be iframed in other websites, so they added frame busting setting or codes to their websites. Our web clipper can clip website URLs as a bookmark, so we need to deal with this frame busting thing - which is called anti-frame-busting or preventing frame busting.

Three ways if you don't want your website iframed in other websites:
1. X-Frame-Options: deny
In http header, and implemented by most browsers. iOS UIWebView seems to have not implemented this as of writing.

2. Traditional Javascript code
if (top != self) { top.location.replace(self.location.href); }

3. Javascript to show/hide body due to clickjack security concern
<body style="display:none" ...>
try {
  if (top.location.hostname != self.location.hostname)
    throw 1; = 'block';
} catch (e) {
  // possible clickjack attack, leave content hidden

Then how to prevent frame busting?
Check out for the discussions.

No comments:

Post a Comment