[thelist] Frame busting

Peter-Paul Koch ppk at xs4all.nl
Mon Sep 11 16:04:38 CDT 2000


>Can anybody else confirm this? I think and hope there is a misunderstanding:
>
>It is only the location property of a frame from another domain that 
>is inaccessible to your scripts.

Yep, that's my current theory. Why do you hope there is a misunderstanding?
I think it's great that we can do frame busting anyway.

>Don't say:
>
>if (top.location.href != self.location.href)
>
>Try:
>
>if (top != self)

Hmmm...interesting notion. I'll use it in the Grand Testing that should
take place within a few days.

>on a slightly different topic, you could instead use top.location.replace() 
>to avoid the back-button problem (where click back shunts you forwards
again).
>
>i have no idea how this would change your security problems.

Yep, replace() is generally a better idea. And no, it doesn't solve the
security.

ppk




More information about the thelist mailing list