Preventing child iframe from "breaking out of frame"

Question

I'm doing some simple web integration work which I'm accomplishing through use of an iframe. My main window has some javascript which interacts with my server to redirect the iframe to the required URL. One of the target pages sadly has the following piece of code inside:

if (top.location != location) {
    top.location.href = document.location.href ;
}

The script dies because of cross-site-cripting restrictions and prevents that page from rendering properly. I can't modify the source of that page (3rd party I'm integrating with).

How could I work around this?

Thanks

score 25 · Answer 1 · edited Jul 30 '17 at 01:39

This is my first post so don't trash me if it doesn't work, but this fix seems to work for me in IE. Add security="restricted" to your frame.

example:

<iframe id="frame_id" name="frame_name" security="restricted" src="page.html">  
</iframe>

Edit: I found a better solution. That doesn't block scripts and doesn't require javascript. Try using sandbox="..."

allow-forms allows form submission
allow-popups allows popups
allow-pointer-lock allows pointer lock
allow-same-origin allows the document to maintain its origin
allow-scripts allows JavaScript execution, and also allows features to trigger automatically
allow-top-navigation allows the document to break out of the frame by navigating the top-level window

Top navigation is what you want to prevent, so leave that out and it will not be allowed. Anything left out will be blocked

ex.

<iframe sandbox="allow-same-origin allow-scripts allow-popups allow-forms" src="http://www.example.com"></iframe>

Don't be so hesitant with your answer, if you're not sure about whether or not you're right, look it up or let someone else answer. This site is meant to be an authoritative source on everything, so if you can't be absolutely correct then take your time and double check. It will pay off big time. — randomusername, Dec 27 '13 at 07:14
@adigioia I tried your example it is working fine in both ff and chrome.Thanks — Jeya Kumar, Sep 09 '16 at 08:35

score 12 · Answer 2 · edited May 23 '17 at 12:17

12

There is a technique to disable the frame busting code, as discussed in a newer SO question:

As it turns out, your frame-busting code can be busted, as shown here:
<script type="text/javascript">
    var prevent_bust = 0  
    window.onbeforeunload = function() { prevent_bust++ }  
    setInterval(function() {  
      if (prevent_bust > 0) {  
        prevent_bust -= 2  
        window.top.location = 'http://server-which-responds-with-204.com'  
      }  
    }, 1)  
</script>
This code does the following:

increments a counter every time the browser attempts to navigate away from the current page, via the window.onbeforeonload event handler

sets up a timer that fires every millisecond via setInterval(), and if it sees the counter incremented, changes the current location to a server of the attacker's control

that server serves up a page with HTTP status code 204, which does not cause the browser to navigate anywhere

edited May 23 '17 at 12:17

Community

1
1

answered Jun 18 '09 at 14:50

Colin Pickard

45,724
13
98
148

1

I beg to differ; it does achieve his specific goal! The target page will not trying to defeat this method, as described in the question and comments. This new information will now allow him to achieve his goal – Colin Pickard Jun 18 '09 at 16:15
1

Hence the downvote - it was intended to indicate that the accepted answer was no longer a complete/correct answer to the question. With further thought however I have retracted the downvoted and replaced it with an upvote, since your answer did provide a sensible workaround. – Colin Pickard Jun 18 '09 at 16:17
The new technique is actually better for the purpose since the original design includes a iframe. – Colin Pickard Jun 18 '09 at 16:19
Also the answers were not accepted by Jeff because they do not address the likely situation of multiple domains. For practical purposes, it remains undefeated. – Colin Pickard Jun 18 '09 at 16:27
1

I have upvoted your answer for at least being honest about what happened and in recognition of fact that there may be some situations this might apply. It seems a desperate technique, but it does work. Honestly, I hope that someday something better (like a "NoFrame" attribute) comes into play because *most* suppression of frame busting falls into the "foul" category. If someone doesn't want to be framed, allowing them to have a new window is the "right" thing. Our insurance product was *designed* to be framed, including CSS matching the parent site: no frame busting code there. – Godeke Jun 18 '09 at 17:17
1

This code is useful for some needs but not for this question. I also have this problem. I tried solution but iframe still goes out to main url. But if I click on my homepage link when I am at the page that this script inside, it turns back to the page. Good solution, but not solves this. – aiternal Feb 14 '11 at 11:00

score 6 · Answer 3 · answered Nov 06 '10 at 19:48

A valid question, and one I wish more people would take seriously, rather than just responding with lame comments about "respecting" the wishes of those whose material gets linked, sometimes unintentionally.

What about respecting the traffic, that frame busting javascript steals?

In netiquette terms framebusting scripts are actually a big no-no, for that very reason.

There are many genuine, and innocent reasons for using frames, or iframes, and it's not only very easy, but incredibly common, for code, especially url's, to be inserted either legitimately, or illegitimately, into a page within that frameset, that leads traffic intentionally or otherwise, to another page that rather rudely then breaks the frameset, and steal the traffic.

The correct netiquette approach for a webmaster to use, who doesn't wish for his material to be displayed in a frameset, whether it was done intentionally, or unintentionally, is to make a redirect script to a top page, that displays a message informing the surfer that the page requested was not intended to be viewed in frames, and should they wish to view that page then they can view it at an url, that is then linked, to open in a new tab, or browser page, which doesn't break the frameset, and steal the original sites traffic, thus allowing the surfer to make the choice themselves as to where they actually wish to surf.

I wish more webmasters would respect such netiquette.

score 5 · Answer 4 · answered Jan 05 '12 at 04:27

5

After much searching I developed a simple trick. I created a dummy page in my own site which the i frame called for. I then had an i frame in the dummy page which called for the site breaking out of the frames. It broke out of the first frame, but since the dummy page was on my site it stayed neatly in the frame of the top page. violla

answered Jan 05 '12 at 04:27

Larry Holmes

51
1
1

This is really "thinking inside the box" :-) It should work even in my use case (IE), thank you! – Giovanni P. Jun 01 '18 at 09:16

Preventing child iframe from "breaking out of frame"

4 Answers4

Linked

Related