Framekiller

Last updated

A framekiller (or framebuster or framebreaker) is a technique used by websites and web applications to prevent their web pages from being displayed within a frame. A frame is a subdivision of a Web browser window and can act like a smaller window. A framekiller is usually used to prevent a website from being loaded from within a frameset without permission or as an attack, as with clickjacking.

Contents

Framekiller scripts have largely been replaced by the usage of X-Frame-Options and Content-Security-Policy headers, which prevent the page from being loaded in a frame in the first place. These headers are supported by all modern browsers and do not require the use of JavaScript. [1]

Implementations

Framekillers are implemented using JavaScript that validates if the current window is the main window. The recommended approach is to block rendering of the window by default and only unblock it after confirming the current window is the main one:

<style>html{display:none;}</style><script>if(self==top){document.documentElement.style.display='block';}else{top.location=self.location;}</script>

This approach was proposed in 2010 by Gustav Rydstedt, Elie Bursztein, Dan Boneh and Collin Jackson in a paper that highlighted the limitations of existing frame-busting techniques along with techniques allowing to bypass them. [2]

Alternative solutions

An alternative choice is to allow the user to determine whether to let the framekiller work.

varframekiller=false;window.onbeforeunload=function(){if(framekiller){return"...";// any message that helps user to make decision}};

and the code below should be added after the frame tag:

//"my_frame" should be changed according to the real id of the frame in your page document.getElementById("my_frame").onload=function(){framekiller=true;};

Original framekillers

Historically, the first framekiller scripts were as simple as this:

<scripttype="text/javascript">if(top!=self)top.location.replace(location);</script>

The logic here was to display the page, but check if the top location is the same as the current page, and replace the top by current if not. This method however can be easily bypassed by blocking execution of the framebuster script from the outer frame. [2]

Framekiller limitations

Client-side JavaScript solution relies on the end-user's browser enforcing their own security. This makes it a beneficial, but unreliable, means of disallowing your page to be embedded in other pages. The following situations may render the script above useless:

Anti-framekiller

The iframe in HTML5 has a sandbox attribute. [3] The attribute's value is a set of allowed capabilities for the iframe's content. If the value is empty or not set, the iframe's content will not execute JavaScript, and won't allow top-level navigation. By specifying allow-scripts in the space separated set of exceptions in the value, the iframe will allow JavaScript, but will still disallow top-level navigation, rendering framekillers in the iframe impotent.

See also

Related Research Articles

Dynamic HTML, or DHTML, is a term which was used by some browser vendors to describe the combination of HTML, style sheets and client-side scripts that enabled the creation of interactive and animated documents. The application of DHTML was introduced by Microsoft with the release of Internet Explorer 4 in 1997.

<span class="mw-page-title-main">Cross-site scripting</span> Computer security vulnerability

Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec up until 2007. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner network.

An HTML element is a type of HTML document component, one of several types of HTML nodes. The first used version of HTML was written by Tim Berners-Lee in 1993 and there have since been many versions of HTML. The most commonly used version is HTML 4.01, which became official standard in December 1999. An HTML document is composed of a tree of simple HTML nodes, such as text nodes, and HTML elements, which add semantics and formatting to parts of document. Each element can have HTML attributes specified. Elements can also have content, including other elements and text.

URL redirection, also called URL forwarding, is a World Wide Web technique for making a web page available under more than one URL address. When a web browser attempts to open a URL that has been redirected, a page with a different URL is opened. Similarly, domain redirection or domain forwarding is when all pages in a URL domain are redirected to a different domain, as when wikipedia.com and wikipedia.net are automatically redirected to wikipedia.org.

In the context of a web browser, a frame is a part of a web page or browser window which displays content independent of its container, with the ability to load content independently. The HTML or media elements in a frame may come from a web site distinct from the site providing the enclosing content. This practice, known as framing, is today often regarded as a violation of same-origin policy.

Ajax is a set of web development techniques that uses various web technologies on the client-side to create asynchronous web applications. With Ajax, web applications can send and retrieve data from a server asynchronously without interfering with the display and behaviour of the existing page. By decoupling the data interchange layer from the presentation layer, Ajax allows web pages and, by extension, web applications, to change content dynamically without the need to reload the entire page. In practice, modern implementations commonly utilize JSON instead of XML.

Meta refresh is a method of instructing a web browser to automatically refresh the current web page or frame after a given time interval, using an HTML meta element with the http-equiv parameter set to "refresh" and a content parameter giving the time interval in seconds. It is also possible to instruct the browser to fetch a different URL when the page is refreshed, by including the alternative URL in the content parameter. By setting the refresh time interval to zero, meta refresh can be used as a method of URL redirection.

<span class="mw-page-title-main">Same-origin policy</span> Security measure for client-side scripting

In computing, the same-origin policy (SOP) is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin. An origin is defined as a combination of URI scheme, host name, and port number. This policy prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's Document Object Model (DOM).

Browser sniffing is a set of techniques used in websites and web applications in order to determine the web browser a visitor is using, and to serve browser-appropriate content to the visitor. It is also used to detect mobile browsers and send them mobile-optimized websites. This practice is sometimes used to circumvent incompatibilities between browsers due to misinterpretation of HTML, Cascading Style Sheets (CSS), or the Document Object Model (DOM). While the World Wide Web Consortium maintains up-to-date central versions of some of the most important Web standards in the form of recommendations, in practice no software developer has designed a browser which adheres exactly to these standards; implementation of other standards and protocols, such as SVG and XMLHttpRequest, varies as well. As a result, different browsers display the same page differently, and so browser sniffing was developed to detect the web browser in order to help ensure consistent display of content.

Remote scripting is a technology which allows scripts and programs that are running inside a browser to exchange information with a server. The local scripts can invoke scripts on the remote side and process the returned information.

NoScript is a free and open-source extension for Firefox- and Chromium-based web browsers, written and maintained by Giorgio Maone, an Italian software developer and member of the Mozilla Security Group.

<span class="mw-page-title-main">HTTP cookie</span> Small pieces of data stored by a web browser while on a website

HTTP cookies are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's web browser. Cookies are placed on the device used to access a website, and more than one cookie may be placed on a user's device during a session.

<span class="mw-page-title-main">HTTP referer</span> HTTP header field

In HTTP, "Referer" is an optional HTTP header field that identifies the address of the web page, from which the resource has been requested. By checking the referrer, the server providing the new web page can see where the request originated.

Scalable Inman Flash Replacement (sIFR) is an obsolete JavaScript and Adobe Flash dynamic web fonts implementation, enabling the replacement of text elements on HTML web pages with Flash equivalents. It is open-source and was initially developed by Mike Davidson and improved by Mark Wubben. It is a scalable variety of HTML text-to-flash replacement pioneered by Shaun Inman.

JSONP, or JSON-P, is a historical JavaScript technique for requesting data by loading a <script> element, which is an element intended to load ordinary JavaScript. It was proposed by Bob Ippolito in 2005. JSONP enables sharing of data bypassing same-origin policy, which disallows running JavaScript code to read media DOM elements or XMLHttpRequest data fetched from outside the page's originating site. The originating site is indicated by a combination of URI scheme, hostname, and port number.

<span class="mw-page-title-main">Clickjacking</span> Malicious technique of tricking a Web user

Clickjacking is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages.

<span class="mw-page-title-main">Elie Bursztein</span>

Elie Bursztein, born 1 June 1980 in France, is a French computer scientist and software engineer. He currently leads Google’s Security and Anti-Abuse Research Team.

Web Messaging, or cross-document messaging, is an API introduced in the WHATWG HTML5 draft specification, allowing documents to communicate with one another across different origins, or source domains while rendered in a web browser. Prior to HTML5, web browsers disallowed cross-site scripting, to protect against security attacks. This practice barred communication between non-hostile pages as well, making document interaction of any kind difficult. Cross-document messaging allows scripts to interact across these boundaries, while providing a rudimentary level of security.

Social jacking is malicious technique tricking the users for clicking vulnerable buttons or compromise them by showing false appearing pages, it is a mixture of click jacking technique to breach browser security and social engineering. It may be also referred as User interface disguising method, it is a variant of click jacking method.

Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. It is a Candidate Recommendation of the W3C working group on Web Application Security, widely supported by modern web browsers. CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website—covered types are JavaScript, CSS, HTML frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX, audio and video files, and other HTML5 features.

References

  1. "CSP: frame-ancestors" . Retrieved 2023-09-27.
  2. 1 2 G. Rydstedt; E. Bursztein; D. Boneh; C. Jackson (2010). "Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular sites". 3rd Web 2.0 Security and Privacy workshop. IEEE.
  3. "Archived copy". Archived from the original on 2013-06-06. Retrieved 2014-11-01.{{cite web}}: CS1 maint: archived copy as title (link)