The most effective way to prevent Clickjacking is to output the X-Frame-Options
response header with a suitable value, such as DENY
:
X-Frame-Options: DENY
Browsers check for this and will prevent the page from being framed, depending on the value.
Frame busting JavaScript is used as a fall back for old browsers that don't support the X-Frame-Options
header (IE7 and lower for example).
As for your body error, the body element only becomes available after the browser interprets it in the HTML and creates it in the DOM. This is why your code shows the error when executed before the body tag. You would have to ask the developer why they are setting the body to display:block
with this code. Perhaps the body is display:none
by default in your CSS?