Frame Busting Code

It has been common in the past to include JavaScript "frame busting" or "frame killing" code to prevent a web site being displayed inside a frame (typically by someone else's frame).

It is also referred to as a frame killer frame buster. For those with an interest in coding, the type of thing I mean is something like:

<script type="text/javascript">
   if(top.location != location) {
	top.location.href = document.location.href;
   }
</script>

Originally this was mainly related to the concern of other sites framing your own content to make it look like their own. This was common where the frames site also used frames and had little branding on its content pages.

Well frames are used much less for this purpose nowadays but there are plenty of uses for frames in dynamic sites, and there are other problems to consider too such as Clickjacking identified by Robert Hansen and Jeremiah Grossman. So what is it best to use?

The Stanford Web Security Group has published a paper on Busting Frame Busting: A Study of Clickjacking Vulnerabilities at Popular Sites which examines existing frame busting code, ways it can be circumvented and includes a recommendation for current use. The paper is very readable, and easily digested if you are involved with web development.

So what are the recommendations? The paper suggests using the X-Frame-Options HTTP header, and creating a Firefox Content Security Policy, and adding code like:

<style type="text/css">
    html { visibility:hidden; }
</style>
<script language="javascript" type="text/javascript">
    if ( self == top ) {
	document.documentElement.style.visibility='visible';
    } else {
	top.location = self.location;
    }
</script>

This requires JavaScript to be supported and enabled. This may be an acceptable assumption if the site itself relies on JavaScript. But the code uses CSS to blank the content and JavaScript to make it visible, meaning that it could be inaccessible by some (many?) users. The paper's authors believe the code does not significantly alter page rendering or load time. The code is not guaranteed to be a secure approach to frame busting but the authors believe it is the best approach currently.

There is of course no harm in having target="_top" in all hyperlinks and forms, and using the BASEHREF tag and/or full URL in hyperlinks and form actions. If you allow parts of your site to be framed by your own or other web sites, you will need to be more careful how all these anti-framing techniques are applied.

However, I think there could be an adverse effect on public content search engine ranking, due to the use of content hiding, and I do not believe this risk has been examined. If the JavaScript code is used on content which is not meant to be indexed (e.g. registration, log in, password reset and content meant for authenticated users only), this is no longer a risk.

Pass this information on to your development team and ask them what they are doing to protect your web site and its users from framing.