Framekiller
Encyclopedia
A framekiller is a piece of JavaScript
code that doesn't allow a Web page
to be displayed within a frame. A frame is a subdivision of a Web browser window and can act like a smaller window. This kind of script is often used to prevent a frame from an external Web site being loaded from within a frameset without permission.
The typical source code for a framekiller script is:
There are many variations of this script. This example is cross-browser compatible, avoids deprecated objects, and uses replace which preserves the user's back-button.
Comparing object references, top, self and location directly is slightly more efficient, and succinct.
var prevent_bust = 0;
// Event handler to catch execution of the busting script.
window.onbeforeunload = function { prevent_bust++ };
// Continuously monitor whether busting script has fired.
setInterval(function {
if (prevent_bust > 0) { // Yes: it has fired.
prevent_bust -= 2; // Avoid further action.
// Get a 'No Content' status which keeps us on the same page.
window.top.location ='http://server-which-responds-with-204.example.com' ;
}
}, 1);
var framekiller = true;
window.onbeforeunload = function {
if(framekiller) {
return "..."; // any message that helps user to make decision
}
};
and the code below should be added after the frame tag:
//"my_frame" should be changed according to the real id of the frame in your page
document.getElementById("my_frame").onload = function {
framekiller = false;
};
solution relies on the end-user's browser enforcing their own security. This makes it a beneficial, but unreliable, means of disallowing your page to be embedded in other pages. The following situations may render the script above useless:
In 2010 Gustav Rydstedt, Elie Bursztein
, Dan Boneh
and Collin Jackson published a paper that highlighted the limitations of current frame-busting techniques and proposed the following improved version :
JavaScript
JavaScript is a prototype-based scripting language that is dynamic, weakly typed and has first-class functions. It is a multi-paradigm language, supporting object-oriented, imperative, and functional programming styles....
code that doesn't allow a Web page
Web page
A web page or webpage is a document or information resource that is suitable for the World Wide Web and can be accessed through a web browser and displayed on a monitor or mobile device. This information is usually in HTML or XHTML format, and may provide navigation to other web pages via hypertext...
to be displayed within a frame. A frame is a subdivision of a Web browser window and can act like a smaller window. This kind of script is often used to prevent a frame from an external Web site being loaded from within a frameset without permission.
The typical source code for a framekiller script is:
There are many variations of this script. This example is cross-browser compatible, avoids deprecated objects, and uses replace which preserves the user's back-button.
Comparing object references, top, self and location directly is slightly more efficient, and succinct.
Framekiller Killers
The above framekiller can be prevented from working with the following JavaScript along with a server which responds with aHTTP/1.1 204 No Content, as discovered in this blog. Just place the following code in the top frame. It works because in most browsers a 204 HTTP response will do nothing, meaning it will leave us on the current page. But the request attempt will override the previous frame busting attempt, rendering it useless.var prevent_bust = 0;
// Event handler to catch execution of the busting script.
window.onbeforeunload = function { prevent_bust++ };
// Continuously monitor whether busting script has fired.
setInterval(function {
if (prevent_bust > 0) { // Yes: it has fired.
prevent_bust -= 2; // Avoid further action.
// Get a 'No Content' status which keeps us on the same page.
window.top.location =
}
}, 1);
Alternative Solution
An alternative choice is to allow the user to determine whether to let the framekiller work, as discovered by the Framekiller Killer.var framekiller = true;
window.onbeforeunload = function {
if(framekiller) {
return "..."; // any message that helps user to make decision
}
};
and the code below should be added after the frame tag:
//"my_frame" should be changed according to the real id of the frame in your page
document.getElementById("my_frame").onload = function {
framekiller = false;
};
Limitations
This client-side JavaScriptClient-side JavaScript
Client-side JavaScript is JavaScript that runs on the client-side. While JavaScript was originally created to run this way, the term was coined because the language is no longer limited to just client-side, since server-side JavaScript is now available.-Environment:The most common Internet media...
solution relies on the end-user's browser enforcing their own security. This makes it a beneficial, but unreliable, means of disallowing your page to be embedded in other pages. The following situations may render the script above useless:
- The user agent does not support JavaScript.
- The user agent supports JavaScript but the user has turned support off.
- The user agent's JavaScript support is flawed or partially implemented.
- The user agent's behavior is modified by a virus or plug-in (possibly without the user's knowledge) in a way that undermines the framekiller script.
In 2010 Gustav Rydstedt, Elie Bursztein
Elie Bursztein
Elie Bursztein is a French security researcher which focus on web, mobile and offensive security . He is most known for his work on CAPTCHA,, his novel attacks and his creative use of applied cryptography...
, Dan Boneh
Dan Boneh
Dan Boneh is a Professor of Computer Science and Electrical Engineering atStanford University. He is a well-known researcher in the areas of applied cryptographyand computer security.-Education:...
and Collin Jackson published a paper that highlighted the limitations of current frame-busting techniques and proposed the following improved version :
DIV frames
A malicious site may also use a<div> element and javascript to "frame" the content. These are not easily amenable to javascript remedies. Such attempts end up incorporating the framed documents headers and tags such as <body> <script></code>, etc. Though this may cause the browser to run in quirks mode, the page may render with a frame.<br />
<br />
In general, the javascript used to generate such a page would require a unique tag or id to be added to the document. This tagged element, such as a div with a unique id, would behave as the more conventional frame. Using CSS to set the that id to <code lang="css">{display:block}</code> may be of help prevent displaying of ones page inside the frame.
<div class="article-reference">The source of this article is <a class='greylink1' href="http://en.wikipedia.org/wiki/Framekiller">wikipedia</a>, the free encyclopedia. The text of this article is licensed under the <a class='greylink1' href='/gfdl'>GFDL</a>.</div>
</div>
</div>
</div>
</div>
</div>
<div class="footer">
<a href="http://www.silverdaleinteractive.com/">Silverdale Interactive</a> © 2024. All Rights Reserved.
</div>
</div>
<div class="opacity-panel"> </div>
<!-- Global site tag (gtag.js) - Google Analytics --><div class="dialog-wrapper">
<div id="dialog1" class="dialog-pane">
<div onclick="CloseDialog()" class="close-dialog button">x</div>
<img class="dialog-logo" src="/images/logo.png" />
<div class="line"></div>
<div id="dialog-panel">
<div class="dialog-title"></div>
<div class="dialog-content"></div>
<div class="ok-button-wrapper"><div onclick="CloseDialog()" class="ok-button">OK</div></div>
</div>
</div>
</div>
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-395964-1"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag() { dataLayer.push(arguments); }
gtag('js', new Date());
gtag('config', 'UA-395964-1');
</script>
</body>
</html>