Defeating the Frame Busting Buster Consider the scenario where you wish to prevent other websites from embedding your site within an . To do this, you incorporate the following frame-busting JavaScript into your pages:</p> <div class="code" style="position:relative; padding:0px; margin:0px;"><pre>/* break us out of any containing iframes */ if (top != self) { top.location.replace(self.location.href); }</pre><div class="contentsignin">Copy after login</div></div> <p>While effective, this code can be bypassed by a frame-busting buster:</p> <div class="code" style="position:relative; padding:0px; margin:0px;"><pre><script type="text/javascript"> var prevent_bust = 0 window.onbeforeunload = function() { prevent_bust++ } setInterval(function() { if (prevent_bust > 0) { prevent_bust -= 2 window.top.location = 'http://example.org/page-which-responds-with-204' } }, 1) </script></pre><div class="contentsignin">Copy after login</div></div> <p>This buster operates by:</p> <ul> <li>Incrementing a counter on any attempted navigation away from the page</li> <li>Using a timer to redirect the page to the attacker's server if the counter increases</li> <li>Retrieving a 204 HTTP status code, preventing further navigation</li> </ul> <p><strong>So, how do you defeat the frame-busting buster?</strong></p> <p>One effective approach is to use the X-Frame-Options: deny directive, supported by most modern browsers. This directive prevents framing even when scripting is disabled:</p> <div class="code" style="position:relative; padding:0px; margin:0px;"><pre>X-Frame-Options: deny</pre><div class="contentsignin">Copy after login</div></div> <p><strong>Browser Support:</strong></p> <ul> <li> <strong>IE8:</strong> https://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx</li> <li> <p><strong>Firefox (3.6.9):</strong></p> <ul> <li>https://bugzilla.mozilla.org/show_bug.cgi?id=475530</li> <li>https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header</li> </ul> </li> <li> <p><strong>Chrome/Webkit:</strong></p> <ul> <li>http://blog.chromium.org/2010/01/security-in-depth-new-security-features.html</li> <li>http://trac.webkit.org/changeset/42333</li> </ul> </li> </ul>
