Some websites are under the impression this very old frame busting code can prevent click jacking attacks:
try {
if (top.location.hostname != self.location.hostname) throw 1;
} catch (e) {
top.location.href = self.location.href;
}
Here’s a very simple way around this which works in both FF and IE7: (update, a way to work around this prevetion here)
var prevent_bust = 0
window.onbeforeunload = function() { prevent_bust++ }
setInterval(function() {
if (prevent_bust > 0) {
prevent_bust -= 2
window.top.location = 'http://server-which-responds-with-204.com'
}
}, 1)
The server only needs to respond with:
HTTP/1.1 204 No Content
On most browsers a 204 (No Content) HTTP response will do nothing, meaning it will leave you on the current page. But the request attempt will override the previous frame busting attempt, rendering it useless. If the server responds quickly this will be almost invisible to the user.
Update: If the frame busting code is at the beginning of the page, before any content loads, then even though the frame busting will be prevented, so will the loading of the remainder of the page. This means that your content would be hidden and un-clickjackable (only in FF, see below for IE).
So what can a website do to prevent clickjacking? I’m not a security expert but this seems to cover almost all the cases:
First, have your page load with all content hidden using CSS. Something along the lines of:
<body style="display:none" ...>
Then use some variant of the frame busting code, but instead of busting, use it to determine whether or not to display your content:
try {
if (top.location.hostname != self.location.hostname)
throw 1;
document.body.style.display = 'block';
} catch (e) {
// possible clickjack attack, leave content hidden
}
This covers most of the cases. It covers IE’s SECURITY=RESTRICTED which allows you to turn off scripting for an iframe. If your site is loaded like this, your script will not run and your content will remain hidden (as mentioned here). And it covers a standard clickjack attack by not displaying your content if it detects that it has been framed. What it doesn’t cover is a user who comes to your site with javascript disabled (who will see nothing). You of course could present them with a message saying javascript is required (using <noscript>). Sucks, but it seems at this point that is the price to pay for clickjacking protection.
If you have or know of a better solution please let me know.
Note to users: NoScript can protect you from clicking on invisible elements.
If you’re talking about twitter, they’ve just fixed this. Content is now hidden in the iframe.
Comment by Wesley — February 13, 2009 @ 9:17 am
Cool, looks like they’re still vuln for ppl w/o JS, but that’s probly an acceptably small %.
Comment by coderrr — February 13, 2009 @ 9:48 am
interesting article… I like very much the idea of display:none, although would drive off visitors. Not because of turned off javascript (only), but think of a user with noscript. If he doesn’t see the website he won’t know it’s because javascript being turned off…
Comment by dblackshell — February 21, 2009 @ 9:54 am
Yea I agree it sucks… It just doesn’t seem like there is any other solution for websites to prevent click jacking against users with JS turned off (and w/o noscript).
If you are using NoScript won’t it display content inside of <noscript> tags?
Comment by coderrr — February 21, 2009 @ 10:05 am
if you use NoScript, noscript tags are shown when no Javascript is allowed… exactly as it would happen if you would have javascript disabled
Comment by dblackshell — February 22, 2009 @ 10:55 pm
so then that takes care of the problem you mentioned above right? You could use <noscript> to tell the visitor why they aren’t seeing the website.
Comment by coderrr — February 23, 2009 @ 2:10 am
you hide the entire body, the noscript tag is inside the body… how would you like to inform the user?
maybe using a css rule
noscript { display: block; }
would solve the problem… don’t know didn’t have the mood to test it :P
Comment by dblackshell — February 23, 2009 @ 5:29 am
Oh yea, very good point! I tried the css example you suggested and it wouldn’t show the noscript tag if it was inside a hidden body. So it seems instead of hiding the whole body you’d have to make sure you have a div around everything except the noscript tag and then hide that div.
Comment by coderrr — February 23, 2009 @ 7:43 am
the best bet would be to add the css rule display:none to the #wrapper selector… I say #wrapper because it’s an identifier generally used to wrap the header/content/footer…
and after that wrapper add the noscript tag with the info.
Comment by dblackshell — February 23, 2009 @ 11:45 am
yea that sounds good
Comment by coderrr — February 23, 2009 @ 11:48 am
It is all click jacking and we might see more such attacks in future.
The quickest fix for this attack is – DO NOT let your site be loaded in an iframe. Thats it!
if (window.parent.frames.length>0) {
//you are framed.
//Go to your site without frame window.parent.location=location;
}
Comment by web — February 24, 2009 @ 2:21 pm
Did you read the post?
It is important you specify that this fix be put at the TOP of the page, before any content is loaded. Otherwise, as I showed in my post, I can block your framebusting attempt.
Also your fix won’t work when someone iframes you in an IE restricted frame or if the user has JS disabled.
Comment by coderrr — February 24, 2009 @ 2:27 pm
[...] the SECURITY=restricted iframe attribute under IE and by using the methods that coderr mentioned in this article. For users NoScript is the right protection, until (who knows) browsers do something [...]
Pingback by 1-2-3-Clickjacking — February 26, 2009 @ 7:02 am
Wait a second. If a user has JS turned off, a clickjacking attempt would be pointless since the attack relies on JS.
Comment by Nikola — February 27, 2009 @ 10:38 am
Nikola,
No actually clickjacking can be achieved with only css.
All you need is transparency, positioning, and z-index ordering.
Comment by coderrr — February 27, 2009 @ 10:46 am
Working anti-buster-buster-buster code here:
http://stackoverflow.com/questions/958997/frame-buster-buster-buster-code-needed
CHECK.. YOUR MOVE SIRS!!
– edit –
For the benefit of comment readers, the above code does not work. – coderrr
Comment by Jeff Atwood — June 6, 2009 @ 5:21 am
[...] Filed under: javascript, security — Tags: javascript, security — coderrr @ 4:21 pm In this post I presented a way to prevent a site you were (i)framing from frame busting out. Jeff Atwood [...]
Pingback by Anti anti frame busting « coderrr — June 18, 2009 @ 4:22 pm
[...] I’ll tell you what happens. This happens. [...]
Pingback by We Done Been … Framed! | Design Website — June 19, 2009 @ 12:54 pm
[...] the SECURITY=restricted iframe attribute under IE and by using the methods that coderr mentioned in this article. For users NoScript is the right protection, until (who knows) browsers do something [...]
Pingback by insanesecurity — June 24, 2009 @ 4:52 pm
[...] I’ll tell you what happens. This happens. [...]
Pingback by We Done Been … Framed! | PHP Hosts — August 6, 2009 @ 7:09 am
Using the re-direct method will get your page banned by Google! They ban all pages which re-direct a user to another page, all SE’s do, don’t they?
Comment by texxs — August 26, 2009 @ 5:21 pm
display: block means that the element is displayed as a block, as paragraphs and headers have always been.
maybe you mean to display: none ?
Comment by Joseph Smith — September 17, 2009 @ 4:17 pm
no, the body starts out ‘none’ and then is changed to ‘block’ only if the site is not framed
Comment by coderrr — September 17, 2009 @ 4:34 pm