4

I need to add a javascript-based framebuster for my web application that helps prevent clickjacking (or Cross Frame Scripting) attacks for legacy browsers that don't support X-FRAME-OPTIONS.

After searching the internet, I found that currently there seems to be two approaches, shown below. Being a complete newbie at javascript, I prefer approach 1 for its simplicity..

My question is - are both approaches still valid at this time or is any of them already "busted"?

EDIT: changed my question to ask about both approaches instead of just approach 1.

Approach 1 (from http://en.wikipedia.org/wiki/Framekiller#Modern_framekiller):

if (self == top) {
    document.documentElement.style.display = 'block';
} else {
    top.location = self.location;
}

Approach 2 (from https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Best-for-now_Legacy_Browser_Frame_Breaking_Script):

<style id="antiClickjack">body{display:none !important;}</style>
<script type="text/javascript">
   if (self === top) {
       var antiClickjack = document.getElementById("antiClickjack");
       antiClickjack.parentNode.removeChild(antiClickjack);
   } else {
       top.location = self.location;
   }
</script>

Many thanks.

Zoomzoom
  • 1,042
  • 2
  • 13
  • 32
  • What's the point of that `style` element? Why not put it directly on the body? ``, then if `self === top`, you'll just remove it: `document.body.style.display = '';` ? – Joseph Silber Aug 22 '13 at 20:39
  • 1
    Also, you do note that using this method, your entire site becomes unusable if JavaScript is disabled. – Joseph Silber Aug 22 '13 at 20:40
  • Sorry, for approach 2 I copy/pasted that code from the link provided. You're right. – Zoomzoom Aug 22 '13 at 20:43
  • By the way, I realized that the reason for the separate – Zoomzoom Aug 24 '13 at 19:54

0 Answers0