Reputation: 13421
Selective frame-busting Javascript
At some point last month, a random website decided to serve my company's website in a frame. Ignoring the question of "what are they doing?" for a minute, I used some simple frame-buster Javascript:
<script type="text/javascript">
if (top.location != location) {
top.location.href = document.location.href ;
}
</script>
That part works great. The problem is, not all frames are bad: if someone comes to the site via ow.ly, we don't want to destroy their frame. I've tried a few things, either to whitelist ow.ly or to blacklist the offending website, but I can't get around the cross-frame security long enough to search top.location. Is there anything I can only block some frames, based on the URL?
To clarify, I realize that I'm unlikely to win the frame-busting arms race. I'm fine with that. What I'm trying to do is establish a whitelist of sites that are allowed to show our site in a frame.
Upvotes: 2
Views: 2389
Answers (1)
Reputation: 140172
Employ some help from your back-end. You could check the HTTP referrer header and then enable your frame-buster accordingly.
Upvotes: 3
Related Questions
- How to implement Frame Buster Javascript in iframe
- Bypassing Frame buster
- Busting a tough FRAME killer
- Preventing frame busting with access to page source
- Frames in javascript
- Javascript frame killer that still allows frames from own domain?
- Can you beat a frame breaker?
- Framebreaker detection
- Frame buster buster
- Javascript frames discovery