How to preventing the no-frame JS ?

[Eli]

Hi,

I'm using an IFRAME which in there I can load any site. But there are
some sites that check if they're in a frame and reload the whole
window. This disrupt my whole page.

Some questions:

1. Isn't this illegal to change the top location of the window? It
seems like a security hole (XSS hack).

2. How do sites do that? (see that even gmail.com does it)

3. How can I force the site to remain in the IFRAME and not allow it to
change the top location?

-thanks, Eli

 

[kaeli]

I'm using an IFRAME which in there I can load any site. But there are
some sites that check if they're in a frame and reload the whole
window. This disrupt my whole page.

Yeah, that's what we hope for.
I don't want my stuff framed in your site. Breaks my code.
Any site I have that needs to use top.frames has a framebuster script in
there.
Considering how many people like you have posted this sort of question, I'm
considering adding it to the rest of my stuff.

Some questions:

1. Isn't this illegal to change the top location of the window? It
seems like a security hole (XSS hack).

It's illegal to use other people's content without permission on your site,
actually. Copyright and all that jazz.
If someone really felt like it, they could probably report you to your host
and get your account pulled as a TOS violation -- if you don't make it
really, really obvious that you're framing someone else's stuff, not claiming
it as your own.

2. How do sites do that? (see that even gmail.com does it)

They check the value of top.location.href or something similar.
Ever stop to think why we need to do this?

My guess is that Gmail also uses top to reference its own frameset. Putting
it in another breaks it.

3. How can I force the site to remain in the IFRAME and not allow it to
change the top location?

You can't.
If you could, do you really think we'd tell you?

--

 

[Eli]

It's illegal to use other people's content without permission on your site,
actually. Copyright and all that jazz.
If someone really felt like it, they could probably report you to your host
and get your account pulled as a TOS violation -- if you don't make it
really, really obvious that you're framing someone else's stuff, not claiming
it as your own.

Of course, I'm not intending to use other sites contents as my content.
And I make it really clear that the content is from another site, by
showing the real URL in the top window and showing a URL input text to
change to another URL. No break of copyrights and all that jazz.
Serious sites that do care of copyrights put a copyright statement on
their pages.
I can also claim that google breaks copyrights becauses it saves
contents of other sites in their cache without permissions.
Besides, you can put any image in your site from any site (with the
<image src="..."> tag). Who really checks where's the origin of the
image? It's not that clear where the image comes from. The same way you
check the origins of an image you can check the origins of an IFRAME. I
know it's not OK to use other's stuff, but if copyrights are saved, I
guess there's nothing wrong.

They check the value of top.location.href or something similar.
Ever stop to think why we need to do this?

Well, I guess that's not something you can rely on to prevent the
redirect bahavior. So how can you make the check fail, or better
prevent to top redirect.

You can't.
If you could, do you really think we'd tell you?

Copyrights in my site are saved. The no-frame redirect makes data loss
in the top frame, which could break actions. So preventing this is
critical for me.
How can a site inside an IFRAME can change the location of the top
window? Shouldn't it be dis-allowed by a domain JS security?

I know this redirect can be prevented. I just don't know how...

-thanks, Eli

 

[Matt Kruse]

I don't want my stuff framed in your site. Breaks my code.

Why do you always assume this is for some malicious purpose?

My browser's home page is a custom frameset "control panel" that I created
which loads my most-accessed sites in frames for me and updates them every
so often. Surely you shouldn't object to that.

If being framed breaks your code, your coding is bad, IMO.

Blindly referring to 'top' is not recommended, IMO. You should always go
through your parent.

 

[kaeli]

Why do you always assume this is for some malicious purpose?

Because I'm a cynical little shit who knows plenty of people who aren't very
nice. And in case you didn't notice, I myself have been known to do some
questionable things with websites just for the hell of it.
I assume it is for a questionable purpose until it is proven otherwise. YMMV

Basically, the same reason I use .htaccess to prevent bandwidth theft.
Because some people are idiots; some don't know better and some know better
but do it anyway.

My browser's home page is a custom frameset "control panel" that I created
which loads my most-accessed sites in frames for me and updates them every
so often. Surely you shouldn't object to that.

No, I don't.
If I did, I'd already have that framebuster code on ALL my stuff.

If being framed breaks your code, your coding is bad, IMO.

The coding is fine. The assumption that my frameset is not enclosed in
someone else's is perfectly reasonable.
And if someone frames my stuff when I didn't want them to, it's their stuff
that looks broken anyway. *eg*

That's like saying that if installing my windows app on your mac breaks it,
the code is bad. Or that using my stuff that I say is for NN6+ only on NN4
breaks it, the code is bad.
Assumptions for code have to be made. The assumption that someone won't frame
my frames is one I make and ensure by using framebuster scripts. Just like I
use object detection in my script so NN4 won't run it and puke.

Blindly referring to 'top' is not recommended, IMO. You should always go
through your parent.

That isn't always possible for global code called from nested framesets.
Plus, it's just easier. Why should I have to NOT use it when I don't want my
frames framed by someone else to begin with? That's just silly.

--
--
~kaeli~
Why do they lock gas station bathrooms? Are they afraid
someone will clean them?
http://www.ipwebdesign.net/wildAtHeart
http://www.ipwebdesign.net/kaelisSpace

 

[kaeli]

I can also claim that google breaks copyrights becauses it saves
contents of other sites in their cache without permissions.

This is true to a point, but it won't cache pages if you tell it not to. It
obeys the robots.txt file.

Besides, you can put any image in your site from any site (with the
<image src="..."> tag). Who really checks where's the origin of the
image?

That's called bandwidth theft, and many of us use .htaccess files to prevent
it.
Just because you *can* doesn't mean you *should*.

I
know it's not OK to use other's stuff, but if copyrights are saved, I
guess there's nothing wrong.

I'd have to generally agree with that statement.
As long as it's clear, there isn't all that much wrong with it.
Except when people use frames and assume their frames are their own.
They shouldn't have to change their code to accomodate other people's sites.

Well, I guess that's not something you can rely on to prevent the
redirect bahavior. So how can you make the check fail, or better
prevent to top redirect.

You, as the person framing the site, cannot, generally speaking.
And if you manage it (usually by blocking all script, trapping
onbeforeunload, or some such hack), you usually break the framed site and
possibly your own.

How can a site inside an IFRAME can change the location of the top
window? Shouldn't it be dis-allowed by a domain JS security?

Nope. Because while your motives may be fine, others have motives that aren't
so fine. (answering the "should", which is subjective)

If you're totally dying to do this, there is a way to remove all the script
elements of a page before you frame it.
Requires server-side scripting that can use sockets and do http requests and
the permissions to create a temp file on the server.
I won't post the solution here in a public forum. It can be deduced from what
I said already.

--