Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to forbid framing

I have recently noticed that stack overflow "for security reasons" does not allow framing.

1) How was this done? (Not is SO specific case! I mean the technique/language etc, for some reason I guess is js)

2) Is it actually avoiding it or just a warning (sort of like client side validation)

3) Should this always be done or are there specific reasons for doing this and is not necesary in most of the cases (this is the first time I've seen it)

Thanks in advance!!!

like image 587
Trufa Avatar asked Dec 12 '10 00:12

Trufa


2 Answers

1) Frame busting is always done on the client: since the server is never told that a page is requested to be used in a frame, it has to be done client-side. Recent browsers support a special HTTP header called X-Frame-Options to prevent displaying a page in a frame, but for removing the frames or for older browser versions, you need Javascript. (Thanks to ide for pointing this out!)

2) Assuming you don't use the HTTP header, then if Javascript is turned off, then the frame will stay. There's no way around that, since it has to happen client-side.

3) It was actually fairly common some years ago, although it seems most sites have stopped using it by now. One reason you might still use it is to prevent clickjacking.

Now, it just so happens that frame busting can be busted, and there's actually an SO question about how frame-busting busters can be busted - SO is currently using this kind of anti-anti-frame busting.

(Of course, it could be the case that this anti-anti-frame busting can itself be busted, in which case there might be a way to bust the anti-anti-frame-busting buster, and I'm sure you see where this is going.)

like image 58
Michael Madsen Avatar answered Sep 23 '22 14:09

Michael Madsen


See this post on frame breakers: http://www.codinghorror.com/blog/2009/06/we-done-been-framed.html

like image 34
epascarello Avatar answered Sep 23 '22 14:09

epascarello