How to disable iFrame encapsulation

It's a common trend to encapsulate sites in iframes, this is done by DiggBar and a lot of others.

The problem with these toolbars are following:

  • they break script support, at least for Plurk
  • they steal SEO from your site, i.e. it's the owner of the short URL domain that gets the back links
  • they can be a serious security threat, making things like XSS or CSRF much easier

The solution is pretty easy thought, simply add this to your header section: 

<script type="text/javascript">
if (window != top)  {
    //Inside an iframe check
    top.location.href = location.href;
}
</script>

This checks if your site is inside an iframe - - if it is, it will change the top window's location to your site.

Code · Plurk · Security 26. May 2009
4 comments so far

Iframes should be dropped from the HTML spec and officially unsupported. >:(

I agree with that Altreus character completely. innerHTML and xmlhttp work just fine for this sort of functionality but only on the same domain, and you can turn it off by disabling javascript.

http://en.wikipedia.org/wiki/F...

This is a great technique called Frame Busting/Killing :)

Yeah, I'm using this on http://www.freestat.hu since 10 years. ;)

Post a comment
Commenting on this post has expired.
© 2000-2009 amix. Powered by Skeletonz.