block browser busting chrome clickjacking code design diggbar frambuster frame frame-killer framekiller framekiller-script frames framew html html-coding iframe javascript killer learningmanager problemi radar remove security tips usability web webdesign webdev

My tags:

From Wikipedia, the free encyclopedia

A framekiller or frame buster is a piece of JavaScript code that doesn't allow a Web page to be displayed within a frame. A frame is a subdivision of a Web browser window and can act like a smaller window. This kind of script is often used to prevent a frame from an external Web site being loaded from within a frameset without permission.

The typical source code for a framekiller script is:

<script type="text/javascript">if (top !== self) top.location.replace(self.location.href);</script>

A variation that lets the user know why they are being redirected with the use of a pop-up alert is:

<script type="text/javascript">
    if (top !== self) {
        alert('The URL '+self.location.href+' cannot be viewed inside a frame.  You will be redirected.');
        top.location.replace(self.location.href);
    }
</script>

[edit] Limitations

Because this is a client-side Javascript solution, it relies on the end-user's browser to enforce their own security. This makes it a beneficial but unreliable means of disallowing your page to be embedded in other pages. The following situations may render the script above useless:

• The user agent does not support JavaScript.
• The user agent supports JavaScript, but this support has been opted out of by the user.
• The user agent's JavaScript support is flawed or partially implemented.
• The user agent's behavior is modified by a virus or plug-in (possibly without the user's knowledge) in a way that undermines the framekiller script.