Suppose contains <iframe src="">
Sometimes b/bar will break out of its frame: the top-level window will redirect away from a/foo into b/bar. I don't know how b is doing this.
I thought it wasn't possible for a cross-domain iframe to interfere with the parent unless the parent cooperates via postMessage. Is changing the window location exempt from this?
If that is what's happening, how can a prevent this redirect? I control a but cannot modify b.
If that's not what's happening, how can I find out what b is doing to achieve the redirect?
It would be acceptable to force b to load itself into a new window, or sabotage its access to the top or parent objects. Other degradations of b's behaviour may be acceptable.
Suppose http://a./foo contains <iframe src="http://b./bar">
Sometimes b./bar will break out of its frame: the top-level window will redirect away from a./foo into b./bar. I don't know how b. is doing this.
I thought it wasn't possible for a cross-domain iframe to interfere with the parent unless the parent cooperates via postMessage. Is changing the window location exempt from this?
If that is what's happening, how can a. prevent this redirect? I control a. but cannot modify b..
If that's not what's happening, how can I find out what b. is doing to achieve the redirect?
It would be acceptable to force b. to load itself into a new window, or sabotage its access to the top or parent objects. Other degradations of b.'s behaviour may be acceptable.
- Of possible interest may be this classic question – Pointy Commented Mar 30, 2012 at 16:40
- Interesting, although the basic anti-frame-busting 204 trick doesn't work in my FF11 (all navigations away are blocked). – spraff Commented Mar 30, 2012 at 16:58
- The page ultimately will win; even if it can't bust your frame buster buster, it can decide to hide itself or redirect to something objectionable. – Pointy Commented Mar 30, 2012 at 17:04
4 Answers
Reset to default 3Parent can use sandbox attribute on iframe:
http://www.w3schools./TAgs/att_iframe_sandbox.asp
Then iframe will no longer be able to redirect parent.
What may be happening is a link inside b. has the attribute Target='_parent'. This would make the window/iframe parent update.
If you control b. - ensure all your targets are _self.
that's called 'frame busting'. Supposedly there are techniques to stop that ( http://seclab.stanford.edu/websec/framebusting/index.php ).
Maybe instead of an iframe you could use ajax or similar to load the frame's content into your page?
An ajax solution could work if I create a./proxy.php which will use cURL to fetch b..
Pros:
- can change or remove any script
- can adjust b. content (preview mode)
- can get around cross-domain iframe restrictions
Cons:
- cookies/sessions on b. won't be available
- b. may require scripts to create its content
- burden of bandwidth
- coding effort to make hrefs work