[thelist] Frame busting
Peter-Paul Koch
ppk at xs4all.nl
Mon Sep 11 16:04:38 CDT 2000
>Can anybody else confirm this? I think and hope there is a misunderstanding:
>
>It is only the location property of a frame from another domain that
>is inaccessible to your scripts.
Yep, that's my current theory. Why do you hope there is a misunderstanding?
I think it's great that we can do frame busting anyway.
>Don't say:
>
>if (top.location.href != self.location.href)
>
>Try:
>
>if (top != self)
Hmmm...interesting notion. I'll use it in the Grand Testing that should
take place within a few days.
>on a slightly different topic, you could instead use top.location.replace()
>to avoid the back-button problem (where click back shunts you forwards
again).
>
>i have no idea how this would change your security problems.
Yep, replace() is generally a better idea. And no, it doesn't solve the
security.
ppk
More information about the thelist
mailing list