Browser storage: Do we need SQL? Or would a JSON approach be better? New tabs, top sites, and how you learn to not be a hater
Apr 13

The wrong solutions to the frame busting war

Tech Add comments

Marcus Westin wrote a little library called oFrameBust that goes beyond the if (top.location != window.location) frame buster to allow whitelists via:

<script type="text/javascript" src="http://oframebust.com/oframebust.js">
oFrameBust('digg.com', 'www.facebook.com', 'www.marcuswestin.com');
</script>

Unfortunately, for the entire system to work the whitelist party needs to grok oframebust, which is always a tough sell.

I think the best post I have seen on the entire topic is from Charles Miller as he gets to the root of the issue, which is point of view:

Digg’s point of view:

Website owners point of view:

Exactly. If someone installs a Digg toolbar add-on to the browser, no-one would say anything, as it is part of the browser and THE END USER REQUESTED IT. The DiggBar has people clicking around with no idea what has happened.

Watching people come up with rev=”canonical” and libraries to make url shorteners on their own domains makes me a little sad too. The world doesn’t need “ajaxian.com/Apasojd” Instead, we need SMS to be updated to grok the Web, and we need Twitter to take the link out of the message (as FriendFeed allows) so the characters don’t matter. The majority of my tweets follow the pattern of: “Blah blah blah di blah http://url” Make that a first class citizen. I even created Twitter Greasemonkey scripts to deal with the URL and UN-shorten them. In fact, don’t just do that, but make the entire message a link to that URL. There are better fixes out there.

4 Responses to “The wrong solutions to the frame busting war”

  1. Elijah Grey Says:

    In my opinion, the best solution would to just check location.referrer and framebreak if location.referrer matches a blacklist (or doesn’t match a whitelist) and the page is detected to be in a frame. It shouldn’t require cooperation from the website framing your website.

  2. Elijah Grey Says:

    Small typo in last comment: document.referrer, not location.referrer.

  3. robert sayre Says:

    The War On Frames. Will it fare better than other wars on nouns?

  4. Sam Johnston Says:

    rev=”canonical” is a notoriously bad idea that’s been widely (and rightly) criticised by anyone who knows anything about security and standards. Nonetheless it’s still being actively evangelised by a gaggle of web dev types in spite of the appearance of substantially better alternatives. Sigh.

    Sam

Leave a Reply

Spam is a pain, I am sorry to have to do this to you, but can you answer the question below?

Q: Type in the word 'ajax'