How to forbid framing

javascript html security iframe
11,225

Solution 1

1) Frame busting is always done on the client: since the server is never told that a page is requested to be used in a frame, it has to be done client-side. Recent browsers support a special HTTP header called X-Frame-Options to prevent displaying a page in a frame, but for removing the frames or for older browser versions, you need Javascript. (Thanks to ide for pointing this out!)

2) Assuming you don't use the HTTP header, then if Javascript is turned off, then the frame will stay. There's no way around that, since it has to happen client-side.

3) It was actually fairly common some years ago, although it seems most sites have stopped using it by now. One reason you might still use it is to prevent clickjacking.

Now, it just so happens that frame busting can be busted, and there's actually an SO question about how frame-busting busters can be busted - SO is currently using this kind of anti-anti-frame busting.

(Of course, it could be the case that this anti-anti-frame busting can itself be busted, in which case there might be a way to bust the anti-anti-frame-busting buster, and I'm sure you see where this is going.)

Solution 2

See this post on frame breakers: http://www.codinghorror.com/blog/2009/06/we-done-been-framed.html

Share:
11,225
Trufa
Author by

Trufa

Existing code exerts a powerful influence. Its very presence argues that it is both correct and necessary.

Updated on July 19, 2022

Comments

  • Trufa
    Trufa almost 2 years

    I have recently noticed that stack overflow "for security reasons" does not allow framing.

    1) How was this done? (Not is SO specific case! I mean the technique/language etc, for some reason I guess is js)

    2) Is it actually avoiding it or just a warning (sort of like client side validation)

    3) Should this always be done or are there specific reasons for doing this and is not necesary in most of the cases (this is the first time I've seen it)

    Thanks in advance!!!

  • Trufa
    Trufa over 13 years
    +1 great answer, thank you! Yep when you get in that vicious circle the only one loosing is you, it is as safe as asking please don't do it! So a little bit antiquated I guess, thanks!!!
  • ide
    ide over 13 years
    Frame busting requires JS, but disallowing framing is best achieved with the X-Frame-Options HTTP header, introduced by IE8. You should have both anti-framing techniques for legacy support, but X-Frame-Options is supported in all modern browsers: developer.mozilla.org/en/the_x-frame-options_response_header‌​.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Is it safe to have sandbox="allow-scripts allow-popups allow-same-origin" on <iframe />?
Foolproof way to detect if iframe is cross domain
How do I trigger a function when using HtmlElementView Widget?
How to capture onclick within an iFrame for embedded YouTube video?
How to get iframe response headers?
Is it possible to to take a screenshot of an iframe in a web page?
How to make a fixed div inside iframe
Displaying another website in an iframe
How to detect click event in iframe using jquery
javascript, iframe - navigate/close parent window from iframe