-1

How do external iframes manage to redirect out of your site?

How can this be prevented?

Is it possible to listen to "redirect requests" and prevent them if there was no click?

Jav_Rock
  • 22,059
  • 20
  • 123
  • 164
lisovaccaro
  • 32,502
  • 98
  • 258
  • 410
  • possible duplicate of [How to prevent IFRAME from redirecting top-level window](http://stackoverflow.com/questions/369498/how-to-prevent-iframe-from-redirecting-top-level-window) – Oleg V. Volkov Sep 28 '12 at 08:52
  • I'm guessing you're trying to [bust the busting](http://www.codinghorror.com/blog/2009/06/we-done-been-framed.html) then ? – adeneo Sep 28 '12 at 08:54
  • I am. I already managed to do it with a click listener + bust buster, I'll post the answer when I perfect it. – lisovaccaro Sep 28 '12 at 09:39

4 Answers4

1

How do external iframes manage to redirect out of your site?

parent.location is not readonly

How can this be prevented?

By not framing untrusted third party content that doesn't want to be framed.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
0

You don't.

This has been called "frame busting" since time immemorial (well, as far as the 'Net goes). The child frame is able to set the hosting window as it wishes.

The only thing you can do is not <iframe> locations you don't trust.

AKX
  • 152,115
  • 15
  • 115
  • 172
0

IFrame can reach the main body and the window as we can see that it's enable to drag drop object between different iframe with jqueryUi , in this case the external iframe can easily reach main window and make it window.location.href . I am very busy now but I think that this will work , with the primitive javascript . window.addEventListener('load',function(){}) or location or the other event may work , then event.preventDefault() can stop redirecting . However I hadnt tried yet . [edit hashchange or like this event can do it I believe :) ]

Emre Karataşoğlu
  • 1,649
  • 1
  • 16
  • 25
-1

This is how I did it:

// Listen for unloads
var prevent_bust = 0  
window.onbeforeunload = function() { prevent_bust++ }  
setInterval(function() {  
  if (prevent_bust > 0) {  
    prevent_bust -= 2
    var currentTime = new Date();
    if((currentTime.getTime()-lastClick) > 500) { // If no clicks in the last .5 second don't redirect
        window.top.location = 'http://justwalk.it/stuff/204/foo'
        }
  }  
}, 1)

// Listen for clicks, save time of latest one
var currentTime = new Date().getTime(), lastClick ;
$("body").click(function () {
    var currentTime = new Date();
    lastClick = currentTime.getTime();
    console.log('click time:'+lastClick);
    });
lisovaccaro
  • 32,502
  • 98
  • 258
  • 410