stackoom
  简体   繁体   中英

Frame breaking only cross-domain but not for iframes from the same origin?

 原文  2010-09-29 16:45:05       javascript/ iframe/ same-origin-policy

Question

This question was previously asked and answered correctly, but there did not seem to be a solution posted.

If a site has iframes, and one wants to prevent those from being enclosed in a frame from a different domain, simplistic frame-busting will not be useful: 

<script>if (top != self) top.location = location</script>

However, since cross-frame scripting to other domains should generate exceptions, something like this seems to work well inside the iframe: 

<script>
try {
  if (window.document.domain != top.document.domain) {   // throws exception
    throw "You naughty puppy!"; // Should not ever get here, right?
  }
}
catch () {
  top.location = "/error/naughtypuppy";
}
</script>

The if above should be enough on its own to prevent cross-domain framing of iframes. It should only ever return false or throw an exception, so is there anyway the script could reach the throw statement in a browser?

Would this be sufficient to prevent framing only from other domains? 

<script>
try {
  var bogus = top.document.domain;
}
catch () {
  top.location = "/error/naughtypuppy";
}
</script>

Edit: A similar solution is hinted at here, but one would not rely on the parent frame to include the frame-busting code. Detect when iframe is cross-domain, then bust out of it . Essentially the same solution as "try to access the other frame and bust if an exception occurs."

2 answers

solution1
 2 ACCPTED  

That code is vulnerable to a form of attack that leverages the "onbeforeunload" feature. The parent (evil) page sets up a interval handler (which is invulnerable to your code, due to the domain difference) and an "onbeforeunload" handler. The second handler just updates some global variable (also invulnerable) to record the fact that the window is "under attack", and then the interval timer (running fast enough that it should be able to become active before the browser has completed the outer window update to your legit URL) pops up and updates window.location to point to some attacker-controlled URL that returns a no-op 204 response. The browser forgets about your HTTP request and "updates" the window from that newer transaction instigated by the interval handler instead.

Here's the older SO question: Frame Buster Buster ... buster code needed

solution2
 1  2014-10-02 21:21:03

I have a site that still has frames and I can't remove them for now. This was the best solution I was able to find: 

<style>html { display:none }</style>
<script>
if (self == top) {
  document.documentElement.style.display = 'block';
} else {
  top.location = self.location;
}
</script>

From this link: XFS 101-cross-frame-scripting-explained

Based on a presentation from: OWASP_AppSec_Research_2010_Busting_Frame_Busting_by_Rydstedt

Here is a more updated OWasp Clickjacking page

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Cross-domain and iFrames Cross origin requests are only supported for HTTP but it's not cross-domain Cross-domain if 2 scripts from same domain? Get around same-origin policy to get top URL of a page from inside a cross-domain iframe Understanding Cross-Domain issue in Iframes Cross-domain localStorage with iframes (Chrome) iframes from same domain and cross browser scripting blocked a frame with origin from accessing a cross-origin frame Using the same domain Does the same-origin-policy prevent JavaScript on a page from accessing the contents of cross-domain loaded resources like <img> and <script>? Is it possible to leverage cross-domain iframes for non-blocking computation?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM