开发者

Preventing frame busting with access to page source

问答 作者:

So we are loading a page in an iframe. This child page is loaded from a cache on the same domain as the parent. However external assets are not cached locally, and are loaded from the external site - including javascript. In one site we have frame-busting code:

if (top.location != self.location) {

    top.location = self.location
}

Now I know that we could use the solution from coderr but I'm not sure what the implications / knock on issues are. Given that we have access to the cached child page, I am wondering whether there is anything we can add to the child in order to override any methods or values in order to render null the framebusting. E.g in the <head> of the child I tried adding this:

<script type="text/java开发者_如何学Goscript">
    top.location = self.location
</script>

and 

self.location = top.location

with pretty horrific results (infinite nesting in the first example, total and complete browser meltdown in the second).

Are there any suggestions for code we could add to the child to nullify the framebusting?

Else, we'll have to cache the js and parse out / replace framebusting script.

Thanks

R.

And please - this is legit!!

I came across a very interesting post by Jeff Atwood a while ago, where he talks about an "impossible" to counter anti-frame-busting technique:

http://www.codinghorror.com/blog/2009/06/we-done-been-framed.html

It doesn't even require privileged access to the child frame's code!

Simple Text replacement with Tampermonkey

document.body.innerHTML = document.body.innerHTML.replace(/original/g,"new");

If using the regex version (replace all occurrences in the document) then you need to escape especial characters like / and " with the \ symbol.

To replace only a single occurrence:

var find = "if (top.location!=location) { top.location.href = location.href; }";
replace = "";
document.body.innerHTML = document.body.innerHTML.replace(find,replace);

This will not work on pages that have the <script> at the very top, up by the head.

Make sure @run-at document.start is set.

继续阅读:framebustingiframejavascript

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9