Preventing child iframe from "breaking out of frame"

Question

I'm doing some simple web integration work which I'm accomplishing through use of an iframe. My main window has some javascript which interacts with my server to redirect the iframe to the required URL. One of the target pages sadly has the following piece of code inside:

if (top.location != location) {
    top.location.href = document.location.href ;
}

The script dies because of cross-site-cripting restrictions and prevents that page from rendering properly. I can't modify the source of that page (3rd party I'm integrating with).

How could I work around this?

Thanks

Answer 1

This is my first post so don't trash me if it doesn't work, but this fix seems to work for me in IE. Add security="restricted" to your frame.

example:

<iframe id="frame_id" name="frame_name" security="restricted" src="page.html">  
</iframe>

Edit: I found a better solution. That doesn't block scripts and doesn't require javascript. Try using sandbox="..."

• allow-forms allows form submission
• allow-popups allows popups
• allow-pointer-lock allows pointer lock
• allow-same-origin allows the document to maintain its origin
• allow-scripts allows JavaScript execution, and also allows features to trigger automatically
• allow-top-navigation allows the document to break out of the frame by navigating the top-level window

Top navigation is what you want to prevent, so leave that out and it will not be allowed. Anything left out will be blocked

ex.

<iframe sandbox="allow-same-origin allow-scripts allow-popups allow-forms" src="http://www.example.com"></iframe>

Answer 2

There is a technique to disable the frame busting code, as discussed in a newer SO question:

As it turns out, your frame-busting code can be busted, as shown here:

<script type="text/javascript">
    var prevent_bust = 0  
    window.onbeforeunload = function() { prevent_bust++ }  
    setInterval(function() {  
      if (prevent_bust > 0) {  
        prevent_bust -= 2  
        window.top.location = 'http://server-which-responds-with-204.com'  
      }  
    }, 1)  
</script>

This code does the following:

• increments a counter every time the browser attempts to navigate away from the current page, via the window.onbeforeonload event handler
• sets up a timer that fires every millisecond via setInterval(), and if it sees the counter incremented, changes the current location to a server of the attacker's control
• that server serves up a page with HTTP status code 204, which does not cause the browser to navigate anywhere

Answer 3

A valid question, and one I wish more people would take seriously, rather than just responding with lame comments about "respecting" the wishes of those whose material gets linked, sometimes unintentionally.

What about respecting the traffic, that frame busting javascript steals?

In netiquette terms framebusting scripts are actually a big no-no, for that very reason.

There are many genuine, and innocent reasons for using frames, or iframes, and it's not only very easy, but incredibly common, for code, especially url's, to be inserted either legitimately, or illegitimately, into a page within that frameset, that leads traffic intentionally or otherwise, to another page that rather rudely then breaks the frameset, and steal the traffic.

The correct netiquette approach for a webmaster to use, who doesn't wish for his material to be displayed in a frameset, whether it was done intentionally, or unintentionally, is to make a redirect script to a top page, that displays a message informing the surfer that the page requested was not intended to be viewed in frames, and should they wish to view that page then they can view it at an url, that is then linked, to open in a new tab, or browser page, which doesn't break the frameset, and steal the original sites traffic, thus allowing the surfer to make the choice themselves as to where they actually wish to surf.

I wish more webmasters would respect such netiquette.