Selective frame-busting Javascript
https://stackoverflow.com/questions/1440824
-
10-07-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
At some point last month, a random website decided to serve my company's website in a frame. Ignoring the question of "what are they doing?" for a minute, I used some simple frame-buster Javascript:
<script type="text/javascript">
if (top.location != location) {
top.location.href = document.location.href ;
}
</script>
That part works great. The problem is, not all frames are bad: if someone comes to the site via ow.ly, we don't want to destroy their frame. I've tried a few things, either to whitelist ow.ly or to blacklist the offending website, but I can't get around the cross-frame security long enough to search top.location. Is there anything I can only block some frames, based on the URL?
To clarify, I realize that I'm unlikely to win the frame-busting arms race. I'm fine with that. What I'm trying to do is establish a whitelist of sites that are allowed to show our site in a frame.
Solution
Employ some help from your back-end. You could check the HTTP referrer header and then enable your frame-buster accordingly.
