[thelist] Frame busting
Peter-Paul Koch
ppk at xs4all.nl
Sun Sep 10 13:58:13 CDT 2000
Ok, I just found out one of those completely weird things that keep life
interesting for the web developer.
I want to write a general purpose frame busting script for when your site
is loaded into someone else's frameset.
The known problem with this script is that the new security settings of the
browsers (tested in NN4 and IE5 Win98) don't allow you to make changes in
another domain, so you cannot execute a script from your site that
influences someone else's frameset.
So I wrote the script
if (top.location.href != self.location.href) top.location.href =
self.location.href;
and the browsers refused to execute it because of security. So far so bad.
Then I wrote a second script that does
if (top.bladie) top.location.href = self.location.href;
where 'bladie' is the name of one of the frames. So if the frame 'bladie'
exists the frameset is wrong and should be busted. This script works!
I don't understand at all what the difference is (there should be none,
from security point of view) but there is a difference all right!
So once again I'd like to ask for your help.
1) Go to http://www.xs4all.nl/~ppk/frametest.html
2) The lower frame tries a frame bust; this should fail miserably and
produce JS errors.
3) Click the link "Load second page"
4) A new page is loaded into the lower frame and tries a frame bust. This
should succeed.
If anything goes differently from what I described above, please let me
know what goes wrong and what browser/OS you're using. BTW: this solution
does not work in Gecko M17.
My current guess is that the security stuff is linked to the
seeing-what-URL-we're-on, not the actual changing of the location. But I
may be completely wrong.
Thanks in advance,
ppk
PS: Please cc me, I read the digest.
More information about the thelist
mailing list