busting out of frames with javascript in a way that works with all browsers?

Discussion in 'Javascript' started by William Krick, Oct 5, 2004.

  1. I did a little searching for javascript code that will make a page
    "jump out" of frames when the page is loaded. There seems to be many,
    many ways to do this and I've added the ones I found to the end of
    this post.

    Which one should I use? Is there a generally accepted "best" way to
    do this that works will all browsers?

    ....
    Krick



    if (top != self) {
    top.location = self.location;
    }

    if (window != top) {
    top.location.href = location.href
    }

    if (top.window != window) {
    top.location.href = window.location.href
    }

    if (parent.frames.length > 0) {
    parent.location.href = location.href;
    }

    if (top.location != location) {
    top.location.href = document.location.href
    }

    if (parent.frames.length >= 1) {
    window.top.location.href = "index.html"
    }
     
    William Krick, Oct 5, 2004
    #1
    1. Advertisements

  2. William Krick wrote:
    > I did a little searching for javascript code that will make
    > a page "jump out" of frames when the page is loaded. There
    > seems to be many, many ways to do this and I've added the
    > ones I found to the end of this post.
    >
    > Which one should I use? Is there a generally accepted
    > "best" way to do this that works will all browsers?


    If you are breaking out of frames they will presumably be other people's
    frames and cross-domain/same-origin security restrictions will apply.
    The extent to which you can read properties of the containing frame may
    be more or less restricted because of this.

    It is important that your code does not cause an exception due to
    security restrictions else it will not only not escape the frame, but it
    might not work properly at all.

    > if (top != self) {


    (top != self) and (top != window) are equivalent, as are (parent !=
    self) and (parent != window). Top, self, window and parent are
    properties of your global/window object so there should be no problem
    reading them and comparing them.

    > top.location = self.location;


    This might error because the - location - property refers to an object.
    Although you can (and probably should) set it with a sting value this
    assignment is setting it to an object reference. Probably the -
    self.location - object reference will be type-converted to a sting for
    the assignment, but I wouldn't want to trust to that in this context.
    Instead assign the - href - (string) property of your location object to
    the location property of the top or parent frame:-

    top.location = self.location.href;
    -or:-
    parent.location = window.location.href;
    (and related permutations)

    - assigning to the - location - property in the parent/top frame is not
    normally a security issue as at just unloads and replaces the entire
    parent/top document.

    > }
    >
    > if (window != top) {
    > top.location.href = location.href


    Assigning to the href property of the - top.location - object might be
    subject to security restrictions (you may be denied access to the
    contents of top.location, or read access to top itself (you have to have
    read access to resolve - top.location - to an object reference)).

    > if (top.window != window) {


    top and top.window should refer to the same object, but trying to read
    properties of top might be restricted.

    > top.location.href = window.location.href
    > }


    This assignment is functionally equivalent to the previous example.

    > if (parent.frames.length > 0) {


    Reading properties of the - parent - and/or - parent.frames - object may
    be subject to security restrictions.

    > parent.location.href = location.href;
    > }
    >
    > if (top.location != location) {


    As indeed might comparing properties of the - top - or - parent - object
    with properties of your own global/window object, if they are from
    different domains.

    > top.location.href = document.location.href
    > }
    >
    > if (parent.frames.length >= 1) {


    Again, reading properties of the - parent - and/or - parent.frames -
    object may be subject to security restrictions.

    > window.top.location.href = "index.html"
    > }


    There is more maintenance in using string literals (different code on
    each page and a need to update it if you decide to change the page name
    (or copy and paste to create a new page). While not only do versions
    that assign location.href not need to know their file name, they can all
    be imported with a common site-wide JS file.

    Compare the self or window properties of your global/window object with
    its top or parent properties and if they differ assign the location.href
    string from your global/window object to the location property of the
    top or parent object. Something like:-

    if(parent != window){
    parent.location = location.href;
    }

    Richard.
     
    Richard Cornford, Oct 6, 2004
    #2
    1. Advertisements

  3. JRS: In article <cjv9rh$658$1$>, dated Wed, 6
    Oct 2004 00:13:52, seen in news:comp.lang.javascript, Richard Cornford
    <> posted :
    >
    >If you are breaking out of frames they will presumably be other people's
    >frames and cross-domain/same-origin security restrictions will apply.
    >The extent to which you can read properties of the containing frame may
    >be more or less restricted because of this.
    >
    >It is important that your code does not cause an exception due to
    >security restrictions else it will not only not escape the frame, but it
    >might not work properly at all.



    If one's page has without permission been framed, one may want to de-
    frame it. But if one cannot de-frame it one might prefer not to display
    it at all, or to display a considerably different content ...

    Pseudo-code :

    if (framed) and (not-authorised) then
    body.HTML = "<big>Framed display not permitted!<\/big>"
    // which should stop what follows it from showing.

    Or even if (framed) and (not-authorised) then while true do ;

    --
    © John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v4.00 IE 4 ©
    <URL:http://www.jibbering.com/faq/> JL/RC: FAQ of news:comp.lang.javascript
    <URL:http://www.merlyn.demon.co.uk/js-index.htm> jscr maths, dates, sources.
    <URL:http://www.merlyn.demon.co.uk/> TP/BP/Delphi/jscr/&c, FAQ items, links.
     
    Dr John Stockton, Oct 6, 2004
    #3
  4. On Wed, 6 Oct 2004 15:25:04 +0100, Dr John Stockton
    <> wrote:

    [snip]

    > Or even if (framed) and (not-authorised) then while true do ;


    But wouldn't that punish the user by hanging the browser? It wasn't their
    decision to steal your page.

    Mike

    --
    Michael Winter
    Replace ".invalid" with ".uk" to reply by e-mail.
     
    Michael Winter, Oct 7, 2004
    #4
  5. JRS: In article <opsfh1a50rx13kvk@atlantis>, dated Thu, 7 Oct 2004
    12:07:03, seen in news:comp.lang.javascript, Michael Winter <M.Winter@bl
    ueyonder.co.invalid> posted :
    >On Wed, 6 Oct 2004 15:25:04 +0100, Dr John Stockton
    ><> wrote:
    >
    >[snip]
    >
    >> Or even if (framed) and (not-authorised) then while true do ;

    >
    >But wouldn't that punish the user by hanging the browser? It wasn't their
    >decision to steal your page.


    Well, is there not always a way to stop the browser window? Back, Stop,
    Home, or wait for a browser timeout? There should be.

    It's an indirect way of punishing the offender, by getting his readers
    seriously annoyed with the consequences of unauthorised framing, so that
    they become ex-readers.

    But I leave it to the reader of my news article to decide what his pages
    should do - quietly unframe his page, quietly decline to display,
    complain and display, sweep the background through an inartistic choice
    of colours, seize up, ...

    --
    © John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v4.00 IE 4 ©
    <URL:http://www.jibbering.com/faq/> JL/RC: FAQ of news:comp.lang.javascript
    <URL:http://www.merlyn.demon.co.uk/js-index.htm> jscr maths, dates, sources.
    <URL:http://www.merlyn.demon.co.uk/> TP/BP/Delphi/jscr/&c, FAQ items, links.
     
    Dr John Stockton, Oct 7, 2004
    #5
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rajesh.Rapaka

    Busting "java.lang.outofmemory"

    Rajesh.Rapaka, Jul 13, 2005, in forum: Java
    Replies:
    17
    Views:
    1,047
    Martin Jost
    Jul 27, 2005
  2. osman
    Replies:
    5
    Views:
    435
    I Osman
    Dec 2, 2004
  3. Vepxistqaosani

    Python busting out

    Vepxistqaosani, Nov 14, 2003, in forum: Python
    Replies:
    2
    Views:
    320
    Ben Finney
    Nov 14, 2003
  4. El Kabong

    Browsers, browsers! Quo vadis?

    El Kabong, May 11, 2007, in forum: HTML
    Replies:
    23
    Views:
    1,057
    dorayme
    May 13, 2007
  5. zalun
    Replies:
    2
    Views:
    143
    zalun
    Mar 24, 2006
Loading...

Share This Page