7

We've been having an problem recently where other sites are running our e-commerce site inside a frameset where our site (with the offenders affiliate id tacked on) is the only content in a single full width frame. So essentially it looks and feels like our site with their URL at the top. We can cut off their affiliate id, which would make it pointless for them to do, but this doesn't prevent future offenders from doing the same thing until we find out about it.

Is there a generic way (through JavaScript that appears on every page perhaps?) to prevent this from happening? Note that adding targets to to all links is not feasible, but adding a snippet of JS to all pages is, since the header and footer portions are shared sitewide from a single source.

Another possibility would be at the Apache level (if there is anything we could do server side) as we do pass all requests through mod-rewrite.

Note that it would be essential to sill allow pages to load inside an IFrame if the parent page originates from our domain, as we make valid use of IFrames

casperOne
74.7k19 gold badges189 silver badges262 bronze badges
asked Jan 20, 2009 at 1:15

4 Answers 4

6

I've heard of solutions to this problem being referred to as a "frame popper script". A quick google comes up with this thread. Looks like this is one of the simplest:

if (window != top) top.location.href = location.href;
answered Jan 20, 2009 at 1:27
Sign up to request clarification or add additional context in comments.

3 Comments

That would be quite nifty, the hacking site trying to 'Iframe' your site, would be redirected to your site in the parent window :)
you can also write this as if(top !== self) top.location.href = self.location.href - same thing, but more symmetric
There are workarounds to many of these "frame popper scripts", so they should no longer be used. See OWASP Clickjacking Defense Cheat Sheet: Insecure Non-Working Scripts DO NOT USE
5

I believe the proper modern method to achieve this is with The X-Frame-Options response header.

From the MDN:

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

Take a look at: How to prevent IFRAME from redirecting top-level window

answered Jun 20, 2013 at 15:21

2 Comments

This is the correct answer for 2017. OWASP has a great Clickjacking Defense Cheat Sheet that discusses the attack and remediation possibilities.
I've updated the chosen answer to my old question given modern best practices
2

Take a look at this article. It offers a fairly simple solution for detecting frames and breaking out of them.

How to Break Out of Frames with JavaScript

In addition, I would take it one step further. Whenever you detect a frame, grab the affiliate ID of the offending site framer, and push that to the server with AJAX along with the URL they are using. Then, either automatically or manually, you can verify that they are framing your site, and cancel their affiliate code one at a time.

answered Jan 20, 2009 at 1:21

Comments

0

Just guessing here...but what if you use javascript to call your parent window to access its document object ? You could check if its not null, and if there is a parent window (meaning a frame loaded your site), you could hide all your html through javascript...

answered Jan 20, 2009 at 1:20

Comments

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.