Shameless Plug: Don’t let your clicks be tracked. Protect your browsing habits with a VPN Service.
Some websites are under the impression this very old frame busting code can prevent click jacking attacks:
try {
if (top.location.hostname != self.location.hostname) throw 1;
} catch (e) {
top.location.href = self.location.href;
}
Here’s a very simple way around this which works in both FF and IE7: (update, a way to work around this prevetion here)
var prevent_bust = 0
window.onbeforeunload = function() { prevent_bust++ }
setInterval(function() {
if (prevent_bust > 0) {
prevent_bust -= 2
window.top.location = 'http://server-which-responds-with-204.com'
}
}, 1)
The server only needs to respond with:
HTTP/1.1 204 No Content
On most browsers a 204 (No Content) HTTP response will do nothing, meaning it will leave you on the current page. But the request attempt will override the previous frame busting attempt, rendering it useless. If the server responds quickly this will be almost invisible to the user.
Update: If the frame busting code is at the beginning of the page, before any content loads, then even though the frame busting will be prevented, so will the loading of the remainder of the page. This means that your content would be hidden and un-clickjackable (only in FF, see below for IE).
So what can a website do to prevent clickjacking? I’m not a security expert but this seems to cover almost all the cases:
First, have your page load with all content hidden using CSS. Something along the lines of:
<body style="display:none" ...>
Then use some variant of the frame busting code, but instead of busting, use it to determine whether or not to display your content:
try {
if (top.location.hostname != self.location.hostname)
throw 1;
document.body.style.display = 'block';
} catch (e) {
// possible clickjack attack, leave content hidden
}
This covers most of the cases. It covers IE’s SECURITY=RESTRICTED which allows you to turn off scripting for an iframe. If your site is loaded like this, your script will not run and your content will remain hidden (as mentioned here). And it covers a standard clickjack attack by not displaying your content if it detects that it has been framed. What it doesn’t cover is a user who comes to your site with javascript disabled (who will see nothing). You of course could present them with a message saying javascript is required (using <noscript>). Sucks, but it seems at this point that is the price to pay for clickjacking protection.
If you have or know of a better solution please let me know.
Note to users: NoScript can protect you from clicking on invisible elements.
