Frame Buster Buster … buster code needed

Let’s say you don’t want other sites to “frame” your site in an <iframe>:

So you insert anti-framing, frame busting JavaScript into all your pages:

Excellent! Now you “bust” or break out of any containing iframe automatically. Except for one small problem.

As it turns out, your frame-busting code can be busted, as shown here:

This code does the following:

  • increments a counter every time the browser attempts to navigate away from the current page, via the window.onbeforeunload event handler
  • sets up a timer that fires every millisecond via setInterval(), and if it sees the counter incremented, changes the current location to a server of the attacker’s control
  • that server serves up a page with HTTP status code 204, which does not cause the browser to navigate anywhere

My question is — and this is more of a JavaScript puzzle than an actual problem — how can you defeat the frame-busting buster?

I had a few thoughts, but nothing worked in my testing:

  • attempting to clear the onbeforeunload event via onbeforeunload = null had no effect
  • adding an alert() stopped the process let the user know it was happening, but did not interfere with the code in any way; clicking OK lets the busting continue as normal
  • I can’t think of any way to clear the setInterval() timer

I’m not much of a JavaScript programmer, so here’s my challenge to you: hey buster, can you bust the frame-busting buster?

Add Comment
1 Answer(s)

Well, you can modify the value of the counter, but that is obviously a brittle solution. You can load your content via AJAX after you have determined the site is not within a frame – also not a great solution, but it hopefully avoids firing the on beforeunload event (I am assuming).

Edit: Another idea. If you detect you are in a frame, ask the user to disable javascript, before clicking on a link that takes you to the desired URL (passing a querystring that lets your page know to tell the user that they can re-enable javascript once they are there).

Edit 2: Go nuclear – if you detect you are in a frame, just delete your document body content and print some nasty message.

Edit 3: Can you enumerate the top document and set all functions to null (even anonymous ones)?

Answered on April 6, 2016.
Add Comment

Your Answer

By posting your answer, you agree to the privacy policy and terms of service.