How to stop my website being framed by others?

Question

How can I stop my website from loading in a frame?

As can be seen here: http://yehg.net/lab/pr0js/pentest/cross_site_framing.php

Google.com won't load, msn.com will break out of the frame. AOL.com will load fine. How do I make my website either break out of the frame or load in the whole window?

Have it try to change the window location? – Travis J Oct 31 '12 at 23:41 — Travis J, Oct 31 '12 at 23:41

score 9 · Accepted Answer · answered Nov 01 '12 at 00:01

9

This little script snippet should work:

<script>
if (window !== top) top.location = window.location;
</script>

Also, you can prevent your pages from being loaded in an iframe by specifying a X-Frame-Options: DENY header. See https://developer.mozilla.org/en-US/docs/The_X-FRAME-OPTIONS_response_header for details.

answered Nov 01 '12 at 00:01

broofa

37,461
11
73
73

1

X-Frame-Options should be used. Supported by all newer browsers. Framebusting with JS is for older browsers lacking support for that header. In newer browsers adding sandbox to the iframe causes the framebusting js ( and any other js not to run) – Erlend Nov 01 '12 at 05:50
6

It's worth noting that there's a functional diffence between these two options: XFO will prevent the page from loading altogether, while the script snippet will cause the page to be loaded in the main window. – broofa Nov 02 '12 at 22:45

score 0 · Answer 2 · answered Oct 31 '12 at 23:58

0

Break out of frame script can be done if you compare the url of top frame to the current frame url:

if(window.top.location.href != window.href)
{
  window.top.location = window.href;
}

answered Oct 31 '12 at 23:58

Mark Knol

9,663
3
29
44

How to stop my website being framed by others?

2 Answers2

Linked

Related