Simon Willison’s Weblog

I had a version like so:

if (top != self) {
top.location.href = document.location.href;
}

Here's twitter's version:

if (window.top !== window.self) {
window.top.location.href = window.self.location.href;
}

Any idea if the "window." is significant in this context?

Jeremy Dunck - 12th February 2009 22:36 - #

Framebusting is a pretty weak defense against clickjacking. It doesn't work in IE if the containing site sets a certain attribute on the iframe element. It doesn't work if JavaScript is disabled. It creates a race condition between the user clicking things in the old page and the new page being loaded. If the user clicks the Back button, the framebusting script might not get to run again.

Jesse Ruderman - 13th February 2009 05:52 - #

You can make your state-changing forms have an onsubmit that refuses to submit when the page is in a frame. At least, I think you can; it could be that IE's restricted-iframe attribute hides the fact that the page is in a frame.

Jesse Ruderman - 14th February 2009 03:32 - #

Also, this article suggests that older versions of IE let you execute javascript in the context of the framed document by changing it's src to a javascript: url after it loads.

Twitter are now doing something like:

if (window.top !== window.self) {
    document.body.innerHTML = ''; 
}

It seems the only comprehensive defense for this is self-destruction.

James Wheare - 14th February 2009 14:53 - #

James:
Except that facebook has started iframing all external links, and nuking your own site's content in response to traffic from facebook is a pretty terrible thing to do.

Jesse, thanks for the feedback. I'm more scared and confused now, though. :-(

Jeremy Dunck - 19th March 2009 16:57 - #