[thelist] Frame busting

Peter-Paul Koch ppk at xs4all.nl
Sun Sep 10 13:58:13 CDT 2000


Ok, I just found out one of those completely weird things that keep life
interesting for the web developer.

I want to write a general purpose frame busting script for when your site
is loaded into someone else's frameset.

The known problem with this script is that the new security settings of the
browsers (tested in NN4 and IE5 Win98) don't allow you to make changes in
another domain, so you cannot execute a script from your site that
influences someone else's frameset.

So I wrote the script

if (top.location.href != self.location.href) top.location.href =
self.location.href;

and the browsers refused to execute it because of security. So far so bad.

Then I wrote a second script that does

if (top.bladie) top.location.href = self.location.href;

where 'bladie' is the name of one of the frames. So if the frame 'bladie'
exists the frameset is wrong and should be busted. This script works!

I don't understand at all what the difference is (there should be none,
from security point of view) but there is a difference all right!

So once again I'd like to ask for your help.

1) Go to http://www.xs4all.nl/~ppk/frametest.html
2) The lower frame tries a frame bust; this should fail miserably and
produce JS errors.
3) Click the link "Load second page"
4) A new page is loaded into the lower frame and tries a frame bust. This
should succeed.

If anything goes differently from what I described above, please let me
know what goes wrong and what browser/OS you're using. BTW: this solution
does not work in Gecko M17.

My current guess is that the security stuff is linked to the
seeing-what-URL-we're-on, not the actual changing of the location. But I
may be completely wrong.

Thanks in advance,

ppk

PS: Please cc me, I read the digest.






More information about the thelist mailing list