iFrame busting: the cat-and-mouse game

8 Nov

In fact, you can actually do what you really want to do, which is bust the iframe buster. The technique lets you use onbeforeunload to switch the page back to yours, but indirectly, since the browsers are too smart to let you set the URL in onbeforeunload. So instead, onbeforeunload sets an indicator variable to mark that the URL has changed, and you periodically poll that variable using a setInterval routine established when your page loads. As long as you’re polling fast enough to catch the variable change, you can jump in and change the page’s URL yourself. The trick is to change it to a page that returns a 204, a special status which tells the browser to leave the current page alone.

That said, this is a cat-and-mouse game. Check out Jeff Attwood’s StackOverflow question on this, where he asks how to bust the above technique. Web pages can bust the buster buster by beating the poll interval; basically, they set the URL to point to a tiny page, and one that has already been cached. As soon as the URL changes to that page, it will load faster than the poll routine can jump in and notice that the indicator variable has changed.

It’s not easy to prevent loading the frame in the first place. If you really wanted, you could have your server download the page and parse the Javascript to see if the iframe-busting technique is present. However, short of emulating a browser, you can only rely on basic pattern-matching and it would be easy for a page to bypass that. (e.g. use top[“l”+”ocation”] instead of top.location).

A smarter technique would be to track which URLs were redirecting using Ajax requests back to the server. (e.g. if the iframe is still there after it has loaded, send an Ajax request back to your server). You can’t 100% guarantee the accuracy of those requests, since they come from the browser, but you can at least use them to build up a manual blacklist.

You also can’t force the iframe to break out into another window.

I just wrote this as a stackoverflow reply, since I’ve been catching up on the iframe buster buster buster affair. I’m using iframes in a couple of places – http://webwait.com and http://trail.scrumptious.tv – and we’re seeing a big revival in them with the proliferation of top bars from the likes of digg and bit.ly. (See http://softwareas.com/styling-a-top-bar .)

In the case of WebWait, where I would desparately love to use iframe buster buster, I unfortunately can’t because it would add processing overhead, and thus ruin the timing which is the whole point.

In the case of Scrumptious, it might provide the perfect test bed for the buster buster.

Aside from the fact that sites can still have their way by busting the buster buster, I expect browsers will also break the buster buster at some point too. So while I might add it to Scrumptious, I don’t expect it to be useful forever.

Advertisements

2 Responses to “iFrame busting: the cat-and-mouse game”

  1. Anonymous April 7, 2010 at 6:06 am #

    Nice information, valuable and excellent design, as share good stuff with good ideas and concepts, lots of great information and inspiration, both of which we all need, thanks for all the enthusiasm to offer such helpful information here.<a href="http://www.barbiehandbags.com/coach_handbag.html&quot; title="coach handbag">coach handbag</a>

  2. Anonymous April 12, 2010 at 9:09 am #

    I really enjoyed exploring your site. good resource … thanks for sharing the info, keep up the good work going….<a href="http://www.zframez.com/testingservices.html&quot; title="Software Testing Training Bangalore">Software Testing Training Bangalore</a>

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: