Frame Buster Buster ... Buster Code Needed

Frame Buster Buster ... buster code needed

I'm not sure if this is viable or not - but if you can't break the frame, why not just display a warning. For example, If your page isn't the "top page" create a setInterval method that tries to break the frame. If after 3 or 4 tries your page still isn't the top page - create a div element that covers the whole page (modal box) with a message and a link like...

You are viewing this page in a unauthorized frame window - (Blah blah... potential security issue)

click this link to fix this problem

Not the best, but I don't see any way they could script their way out of that.

Frame buster buster

This is what I ended up going with. It ignores only the next redirect after the page has loaded. The major downside of this method is that if the frame never calls its framebuster (e.g. because it doesn't load properly, or the framed site changes their code), this will stop the next attempted page movement. A possible solution would be to execute it after frame page load, but directly before any script executes. Another solution would be to only catch url changes to the framed host's base URL. I have no idea if that's possible though...

function ignore_next_redirect() {
  var redirect_timer;
  var prevent_bust = 0  
  window.onbeforeunload = function() { prevent_bust++; }  
  redirect_timer = setInterval(function() {  
    if (prevent_bust > 0) {  
      window.top.location = 'http://example.org/204'  
      window.onbeforeunload = function() {}
      clearInterval(redirect_timer);
    }  
  }, 1);
}

It still does have problems - it seems to stop loading content if it happens at the start of the page.

I know a solution is out there somewhere - google images seem to have got it working. Will update with any progress...

Frame Busting buster not completely working for IE

PENDO, I tried to simulate the whole process you described, ligthbox-jquery, javascript their own codes and controls opening pages via lightbox. I could not simulate at all, and as time is running out I'm sending a suggestion to broaden the range of possibilities and solutions.
I suggest replacing the redirect page:

 ...
  redirectUrl = $ ('# redirectUrl'). val ();
 ...
 window.top.location = 'http://www .****. with / ajax / nocontent.php';
 window.open (redirectUrl, "_blank");

Replaced with a DIV container that simulates a page, using ajax calls and taking the content and overwritten the contents of the DIV.

 ...
 $.post(redirectoURL /* or desired URL */, function(data) {
     $('DIV.simulateContent').html(data);
 });
 ...

or

 ...
 $('DIV.simulateContent').load(redirectoURL);
 ...

This approach also avoids the problem of preventing the user from even leaving your page using the address bar (as you yourself mentioned).

Sorry, let me give you a complete solution, but time prevented me.

PENDO, a little more work on alternatives to the problem, I found a customizable jQuery lightbox plugin for working with custom windows yet (iframe, html, inline ajax etc.). Maybe it will help. The following link:

 http://jacklmoore.com/colorbox/

Cross-origin anti frame busting

I have found a solution.
My iframe is navigated with a button (with the HTML ID of 'deHBox')
And my iframe is linked with a variable labeled 'Ifr'.

    document.getElementById("deHBox").addEventListener("click", function(){
    sandbox(false);
    Ifr.src = url;
    Ifr.style.height = 'calc(100% - 23px)';
    Ifr.style.width = '100%';
    setTimeout(function() {sandbox(true)}, 500);
});


    setTimeout(function() {sandbox(true)}, 500);


function sandbox(on) {
    if (on == true) {
        Ifr.sandbox = "allow-scripts allow-forms allow-pointer-lock allow-popups allow-same-origin";
    } else {
        Ifr.removeAttribute('sandbox');
    }
}

I just added this to my injected.js file...

Bypass iFrame buster script

You can't redefine the window and top properties of the global object

window is essentially a reference to the window property of the global window object (window.window). This property is defined as non-configurable and non-rewritable. You can verify this by executing Object.getOwnPropertyDescriptor(window, "window") in the console. The configurable: false and writable: false attributes mean that any attempts to modify it will fail (either with a false return value or with an error in strict mode). This behavior of the window property is required by the specification of the Window object.

The top property of a window is non-configurable and non-rewritable as well, so you won't be able to overwrite that either. (parent and self, on the other hand, can be overwritten.)

You seem to be trying to find a universaly usable way of fooling framebusters. This seems like an impossible task to me. You might be able to somehow intercept <script> elements and remove the iframe detection from the code before it gets executed, but even if you succeed in doing so for some framebusters, there will always be other ones that your extension will not take care of.


Related Topics

How to Set Selected Value of Jquery Select2

Invoking JavaScript Code in an Iframe from the Parent Page

How to Add Onload Event to a Div Element

How to Call Multiple JavaScript Functions in Onclick Event

Jquery Disable/Enable Submit Button

When Do Items in Html5 Local Storage Expire

Refresh/Reload the Content in Div Using Jquery/Ajax

How to Validate Inputs Dynamically Created Using Ng-Repeat, Ng-Show (Angular)

How to Submit a Form With JavaScript by Clicking a Link

How to Prevent Iframe from Redirecting Top-Level Window

Displaying Pdf from Arraybuffer

How to Apply !Important Using .Css()

"Submit Is Not a Function" Error in JavaScript

Why Js Function Name Conflicts With Element Id

Set Cursor Position on Contenteditable ≪Div≫

Load Scripts Asynchronously

Difference Between Relative Path and Absolute Path in JavaScript

How Exactly Does ≪Script Defer="Defer"≫ Work


Leave a reply



Submit