A framekiller (or framebuster or framebreaker) is a technique used by

websites A website (also written as a web site) is a collection of web pages and related content that is identified by a common domain name and published on at least one web server. Examples of notable websites are Google, Facebook, Amazon, and Wikipe ...

and

web application A web application (or web app) is application software that is accessed using a web browser. Web applications are delivered on the World Wide Web to users with an active network connection. History In earlier computing models like client-serve ...

s to prevent their web pages from being displayed within a

frame A frame is often a structural system that supports other components of a physical construction and/or steel frame that limits the construction's extent. Frame and FRAME may also refer to: Physical objects In building construction *Framing (con ...

. A frame is a subdivision of a Web browser window and can act like a smaller window. A framekiller is usually used to prevent a website from being loaded from within a frameset without permission or as an attack, as with

clickjacking Clickjacking (classified as a user interface redress attack or UI redressing) is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or ...

Implementations

Framekillers are implemented using

JavaScript JavaScript (), often abbreviated as JS, is a programming language that is one of the core technologies of the World Wide Web, alongside HTML and CSS. As of 2022, 98% of Website, websites use JavaScript on the Client (computing), client side ...

that validates if the current window is the main window. The recommended approach is to block rendering of the window by default and only unblock it after confirming the current window is the main one: This approach was proposed in 2010 by Gustav Rydstedt,

Elie Bursztein Elie Bursztein, born 1 June 1980 in France, is a French computer scientist and software engineer. He currently leads Google’s Security and Anti-Abuse Research Team. Education and early career Bursztein obtained a computer engineering degree ...

Dan Boneh Dan Boneh (; he, דן בונה) is an Israeli-American professor in applied cryptography and computer security at Stanford University. In 2016, Boneh was elected a member of the National Academy of Engineering for contributions to the theory an ...

and Collin Jackson in a paper that highlighted the limitations of existing frame-busting techniques along with techniques allowing to bypass them.

Alternative solutions

An alternative choice is to allow the user to determine whether to let the framekiller work. var framekiller = false; window.onbeforeunload = function() ; and the code below should be added after the frame tag: //"my_frame" should be changed according to the real id of the frame in your page document.getElementById("my_frame").onload = function() ;

Original framekillers

Historically, the first framekiller scripts were as simple as this: The logic here was to display the page, but check if the top location is the same as the current page, and replace the top by current if not. This method however can be easily bypassed by blocking execution of the framebuster script from the outer frame.

Framekiller limitations

Client-side JavaScript JavaScript (), often abbreviated as JS, is a programming language that is one of the core technologies of the World Wide Web, alongside HTML and CSS. As of 2022, 98% of websites use JavaScript on the client side for webpage behavior, often ...

solution relies on the end-user's browser enforcing their own security. This makes it a beneficial, but unreliable, means of disallowing your page to be embedded in other pages. The following situations may render the script above useless: * The user agent does not support JavaScript. * The user agent supports JavaScript but the user has turned support off. * The user agent's JavaScript support is flawed or partially implemented.

Anti-framekiller

The iframe in HTML5 has a attribute. The attribute's value is a set of allowed capabilities for the iframe's content. If the value is empty or not set, the iframe's content will not execute JavaScript, and won't allow top-level navigation. By specifying in the space separated set of exceptions in the value, the iframe will allow JavaScript, but will still disallow top-level navigation, rendering framekillers in the iframe impotent.

References