Databases
StackOverflow2013
Postsdbo
POFrame Buster Buster ... buster code needed
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POFrame Buster Buster ... buster code needed
    text
    copied!<p>Let's say you don't want other sites to "frame" your site in an <code>&lt;iframe&gt;</code>:</p> <pre><code>&lt;iframe src="http://example.org"&gt;&lt;/iframe&gt; </code></pre> <p>So you insert anti-framing, frame busting JavaScript into all your pages:</p> <pre><code>/* break us out of any containing iframes */ if (top != self) { top.location.replace(self.location.href); } </code></pre> <p>Excellent! Now you "bust" or break out of any containing iframe automatically. Except for one small problem.</p> <p>As it turns out, <strong>your frame-busting code can be busted</strong>, <a href="http://coderrr.wordpress.com/2009/02/13/preventing-frame-busting-and-click-jacking-ui-redressing/" rel="noreferrer">as shown here</a>:</p> <pre><code>&lt;script type="text/javascript"&gt; var prevent_bust = 0 window.onbeforeunload = function() { prevent_bust++ } setInterval(function() { if (prevent_bust &gt; 0) { prevent_bust -= 2 window.top.location = 'http://example.org/page-which-responds-with-204' } }, 1) &lt;/script&gt; </code></pre> <p>This code does the following:</p> <ul> <li>increments a counter every time the browser attempts to navigate away from the current page, via the <code>window.onbeforeunload</code> event handler</li> <li>sets up a timer that fires every millisecond via <code>setInterval()</code>, and if it sees the counter incremented, changes the current location to a server of the attacker's control</li> <li>that server serves up a page with HTTP status code <strong>204</strong>, which does not cause the browser to navigate anywhere</li> </ul> <p>My question is -- and this is more of a JavaScript puzzle than an actual <em>problem</em> -- how can you defeat the frame-busting buster? </p> <p>I had a few thoughts, but nothing worked in my testing:</p> <ul> <li>attempting to clear the <code>onbeforeunload</code> event via <code>onbeforeunload = null</code> had no effect</li> <li>adding an <code>alert()</code> stopped the process let the user know it was happening, but did not interfere with the code in any way; clicking OK lets the busting continue as normal</li> <li>I can't think of any way to clear the <code>setInterval()</code> timer</li> </ul> <p>I'm not much of a JavaScript programmer, so here's my challenge to you: <strong>hey buster, can you bust the frame-busting buster?</strong></p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload