How to prevent IFRAME from redirecting top-level window

Question

Some websites have code to  break out  of IFRAME enclosures  meaning that if a page A is loaded as an IFRAME inside an parent page P some Javascript in A redirects the outer window to A   Typically this Javascript looks something like this    lt script type  text javascript  gt    if  top location href    self location href       top location href   self location href   lt  script gt    My question is  As the author of the parent page P and not being the author of the inner page A  how can I prevent A from doing this break-out   P S  It seems to me like it ought to be a cross-site security violation  but it isn t

User · Answer

I ve found some useful hacks on this   Using JS how can I stop child Iframes from redirecting or at least prompt users about the redirect  http   www codinghorror com blog 2009 06 we-done-been-framed html  http   coderrr wordpress com 2009 02 13 preventing-frame-busting-and-click-jacking-ui-redressing

User · Answer

By doing so you d be able to control any action of the framed page  which you cannot  Same-domain origin policy applies

User · Answer

Since the page you load inside the iframe can execute the  break out  code with a setInterval  onbeforeunload might not be that practical  since it could flud the user with  Are you sure you want to leave   dialogs   There is also the iframe security attribute which only works on IE  amp  Opera

User · Answer

With HTML5 the iframe sandbox attribute was added  At the time of writing this works on Chrome  Safari  Firefox and recent versions of IE and Opera but does pretty much what you want    lt iframe src  url  sandbox  allow-forms allow-scripts  gt  lt  iframe gt    If you want to allow top-level redirects specify sandbox  allow-top-navigation

User · Answer

By doing so you d be able to control any action of the framed page  which you cannot  Same-domain origin policy applies

User · Answer

Since the page you load inside the iframe can execute the  break out  code with a setInterval  onbeforeunload might not be that practical  since it could flud the user with  Are you sure you want to leave   dialogs   There is also the iframe security attribute which only works on IE  amp  Opera

User · Answer

I know it has been a long time since question was done but here is my improved version it will wait 500ms for any subsequent call only when the iframe is loaded    lt script type  text javasript  gt  var prevent bust   false       var from loading 204   false      var frame loading   false      var prevent bust timer   0      var  primer   true      window onbeforeunload   function event            prevent bust    from loading 204  amp  amp  frame loading          if from loading 204 from loading 204   false          if prevent bust               prevent bust timer 500                      function frameLoad            if  primer               from loading 204   true              window top location      204               prevent bust   false              frame loading   true              prevent bust timer 1000           else              primer   false                      setInterval function               if  prevent bust timer gt 0                  if prevent bust                   from loading 204   true                  window top location      204                   prevent bust   false               else if prevent bust timer    1                   frame loading   false                  prevent bust   false                  from loading 204   false                  prevent bust timer    0                                     prevent bust timer--          if prevent bust timer  -100                prevent bust timer   0                   1    lt  script gt    and onload  frameLoad    and  onreadystatechange  frameLoad     must be added to the frame or iframe

User · Answer

Since the page you load inside the iframe can execute the  break out  code with a setInterval  onbeforeunload might not be that practical  since it could flud the user with  Are you sure you want to leave   dialogs   There is also the iframe security attribute which only works on IE  amp  Opera

User · Answer

Since the page you load inside the iframe can execute the  break out  code with a setInterval  onbeforeunload might not be that practical  since it could flud the user with  Are you sure you want to leave   dialogs   There is also the iframe security attribute which only works on IE  amp  Opera

User · Answer

With HTML5 the iframe sandbox attribute was added  At the time of writing this works on Chrome  Safari  Firefox and recent versions of IE and Opera but does pretty much what you want    lt iframe src  url  sandbox  allow-forms allow-scripts  gt  lt  iframe gt    If you want to allow top-level redirects specify sandbox  allow-top-navigation

User · Answer

By doing so you d be able to control any action of the framed page  which you cannot  Same-domain origin policy applies

User · Answer

By doing so you d be able to control any action of the framed page  which you cannot  Same-domain origin policy applies

User · Answer

Try using the onbeforeunload property  which will let the user choose whether he wants to navigate away from the page   Example  https   developer mozilla org en-US docs Web API Window onbeforeunload  In HTML5 you can use sandbox property  Please see Pankrat s answer below  http   www html5rocks com en tutorials security sandboxed-iframes

User · Answer

I use sandbox         allow-forms allows form submission allow-popups allows popups allow-pointer-lock allows pointer lock allow-same-origin allows the document to maintain its origin allow-scripts allows JavaScript execution  and also allows features to trigger automatically allow-top-navigation allows the document to break out of the frame by navigating the top-level window   Top navigation is what you want to prevent  so leave that out and it will not be allowed   Anything left out will be blocked  ex             lt iframe sandbox  allow-same-origin allow-scripts allow-popups allow-forms  src  http   www example com  lt  iframe gt

User · Answer

I know it has been a long time since question was done but here is my improved version it will wait 500ms for any subsequent call only when the iframe is loaded    lt script type  text javasript  gt  var prevent bust   false       var from loading 204   false      var frame loading   false      var prevent bust timer   0      var  primer   true      window onbeforeunload   function event            prevent bust    from loading 204  amp  amp  frame loading          if from loading 204 from loading 204   false          if prevent bust               prevent bust timer 500                      function frameLoad            if  primer               from loading 204   true              window top location      204               prevent bust   false              frame loading   true              prevent bust timer 1000           else              primer   false                      setInterval function               if  prevent bust timer gt 0                  if prevent bust                   from loading 204   true                  window top location      204                   prevent bust   false               else if prevent bust timer    1                   frame loading   false                  prevent bust   false                  from loading 204   false                  prevent bust timer    0                                     prevent bust timer--          if prevent bust timer  -100                prevent bust timer   0                   1    lt  script gt    and onload  frameLoad    and  onreadystatechange  frameLoad     must be added to the frame or iframe

User · Answer

Try using the onbeforeunload property  which will let the user choose whether he wants to navigate away from the page   Example  https   developer mozilla org en-US docs Web API Window onbeforeunload  In HTML5 you can use sandbox property  Please see Pankrat s answer below  http   www html5rocks com en tutorials security sandboxed-iframes

User · Answer

In my case I want the user to visit the inner page so that server will see their ip as a visitor  If I use the php proxy technique I think that the inner page will see my server ip as a visitor so it is not good  The only solution I got so far is wilth onbeforeunload  Put this on your page    lt script type  text javascript  gt      window onbeforeunload   function                                      return  This will end your session          lt  script gt    This works both in firefox and ie  thats what I tested for  you will find versions using something like evt return whatever  crap    that doesn t work in firefox

User · Answer

After reading the w3 org spec  I found the sandbox property   You can set sandbox     which prevents the iframe from redirecting  That being said it won t redirect the iframe either  You will lose the click essentially   Example here  http   jsfiddle net ppkzS 1  Example without sandbox  http   jsfiddle net ppkzS

User · Answer

I use sandbox         allow-forms allows form submission allow-popups allows popups allow-pointer-lock allows pointer lock allow-same-origin allows the document to maintain its origin allow-scripts allows JavaScript execution  and also allows features to trigger automatically allow-top-navigation allows the document to break out of the frame by navigating the top-level window   Top navigation is what you want to prevent  so leave that out and it will not be allowed   Anything left out will be blocked  ex             lt iframe sandbox  allow-same-origin allow-scripts allow-popups allow-forms  src  http   www example com  lt  iframe gt

User · Answer

I ve found some useful hacks on this   Using JS how can I stop child Iframes from redirecting or at least prompt users about the redirect  http   www codinghorror com blog 2009 06 we-done-been-framed html  http   coderrr wordpress com 2009 02 13 preventing-frame-busting-and-click-jacking-ui-redressing

User · Answer

Try using the onbeforeunload property  which will let the user choose whether he wants to navigate away from the page   Example  https   developer mozilla org en-US docs Web API Window onbeforeunload  In HTML5 you can use sandbox property  Please see Pankrat s answer below  http   www html5rocks com en tutorials security sandboxed-iframes

User · Answer

After reading the w3 org spec  I found the sandbox property   You can set sandbox     which prevents the iframe from redirecting  That being said it won t redirect the iframe either  You will lose the click essentially   Example here  http   jsfiddle net ppkzS 1  Example without sandbox  http   jsfiddle net ppkzS

User · Answer

In my case I want the user to visit the inner page so that server will see their ip as a visitor  If I use the php proxy technique I think that the inner page will see my server ip as a visitor so it is not good  The only solution I got so far is wilth onbeforeunload  Put this on your page    lt script type  text javascript  gt      window onbeforeunload   function                                      return  This will end your session          lt  script gt    This works both in firefox and ie  thats what I tested for  you will find versions using something like evt return whatever  crap    that doesn t work in firefox

User · Answer

Try using the onbeforeunload property  which will let the user choose whether he wants to navigate away from the page   Example  https   developer mozilla org en-US docs Web API Window onbeforeunload  In HTML5 you can use sandbox property  Please see Pankrat s answer below  http   www html5rocks com en tutorials security sandboxed-iframes

[javascript] How to prevent IFRAME from redirecting top-level window

Examples related to javascript

Examples related to html

Examples related to iframe