EducationBot: Новая страница: «{{Английская Википедия/Панель перехода}} {{Short description|Technique used by websites to prevent loading in frames}} A '''framekiller''' (or '''framebuster''' or '''framebreaker''') is a technique used by websites and web applications to prevent their web pages from being displayed within a frame. A frame is a subdivision of a Web browser window and can act like a smaller window. A framek...»

2024-03-09T02:21:37Z

Новая страница: «{{Английская Википедия/Панель перехода}} {{Short description|Technique used by websites to prevent loading in frames}} A '''framekiller''' (or '''framebuster''' or '''framebreaker''') is a technique used by websites and web applications to prevent their web pages from being displayed within a frame. A frame is a subdivision of a Web browser window and can act like a smaller window. A framek...»

Новая страница

{{Английская Википедия/Панель перехода}}
{{Short description|Technique used by websites to prevent loading in frames}}
A '''framekiller''' (or '''framebuster''' or '''framebreaker''') is a technique used by [[websites]] and [[web application]]s to prevent their [[web page]]s from being displayed within a [[HTML element#Frames|frame]]. A frame is a subdivision of a Web browser window and can act like a smaller window. A framekiller is usually used to prevent a website from being loaded from within a frameset without permission or as an attack, as with [[clickjacking]].

Framekiller scripts have largely been replaced by the usage of [[Clickjacking#X-Frame-Options|<code>X-Frame-Options</code>]] and [[Clickjacking#Content_Security_Policy|<code>Content-Security-Policy</code>]] [[List_of_HTTP_header_fields|headers]], which prevent the page from being loaded in a frame in the first place. These headers are supported by all modern browsers and do not require the use of [[JavaScript]].<ref>{{cite web |url=https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors |title=CSP: frame-ancestors |access-date=2023-09-27}}</ref> These headers are also intended to be specified inside the [[web server]] software, rather than directly inside the HTML.

==Implementations==
Framekillers are implemented using [[JavaScript]] that validates if the current window is the main window. The recommended approach is to block rendering of the window by default and only unblock it after confirming the current window is the main one:

<syntaxhighlight lang="javascript">
<style>html{display:none;}</style>
<script>
if (self == top) {
document.documentElement.style.display = 'block';
} else {
top.location = self.location;
}
</script>
</syntaxhighlight>

This approach was proposed in 2010 by Gustav Rydstedt, [[Elie Bursztein]], [[Dan Boneh]] and Collin Jackson in a paper that highlighted the limitations of existing frame-busting techniques along with techniques allowing to bypass them.<ref name="bustingframe">{{cite conference
|author1=G. Rydstedt |author2=E. Bursztein |author3=D. Boneh |author4=C. Jackson |title=Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular sites
|book-title = 3rd Web 2.0 Security and Privacy workshop
|year=2010
|publisher=IEEE
|url=https://elie.net/publication/busting-frame-busting-a-study-of-clickjacking-vulnerabilities-on-popular-sites/
}}</ref>

=== Alternative solutions ===
An alternative choice is to allow the user to determine whether to let the framekiller work.

<syntaxhighlight lang="javascript">
var framekiller = false;
window.onbeforeunload = function() {
if (framekiller) {
return "..."; // any message that helps user to make decision
}
};
</syntaxhighlight>

and the code below should be added after the frame tag:

<syntaxhighlight lang="javascript">
//"my_frame" should be changed according to the real id of the frame in your page
document.getElementById("my_frame").onload = function() {
framekiller = true;
};
</syntaxhighlight>

===Original framekillers===

Historically, the first framekiller scripts were as simple as this:

<syntaxhighlight lang="javascript">
<script type="text/javascript">
if (top != self) top.location.replace(location);
</script>
</syntaxhighlight>

The logic here was to display the page, but check if the top location is the same as the current page, and replace the top by current if not. This method however can be easily bypassed by blocking execution of the framebuster script from the outer frame.<ref name="bustingframe"/>

==Framekiller limitations==

[[Client-side JavaScript]] solution relies on the end-user's browser enforcing their own security. This makes it a beneficial, but unreliable, means of disallowing your page to be embedded in other pages. The following situations may render the script above useless:

* The user agent does not support JavaScript.
* The user agent supports JavaScript but the user has turned support off.
* The user agent's JavaScript support is flawed or partially implemented.

==Anti-framekiller==
The [[HTML element#Frames|iframe]] in HTML5 has a {{mono|sandbox}} attribute.<ref>{{Cite web |url=http://www.w3.org/TR/html5/embedded-content-0.html#attr-iframe-sandbox |title=Archived copy |access-date=2014-11-01 |archive-url=https://web.archive.org/web/20130606104953/http://www.w3.org/TR/html5/embedded-content-0.html#attr-iframe-sandbox |archive-date=2013-06-06 |url-status=dead }}</ref> The attribute's value is a set of allowed capabilities for the iframe's content. If the value is empty or not set, the iframe's content will not execute JavaScript, and won't allow top-level navigation. By specifying {{mono|allow-scripts}} in the space separated set of exceptions in the value, the iframe will allow JavaScript, but will still disallow top-level navigation, rendering framekillers in the iframe impotent.

== See also ==
* [[Clickjacking]] - discusses more sophisticated methods to prevent embedding in a frame, such as X-Frame-Options header

== References ==
{{Reflist}}

[[Category:HTML]]
{{Навигационная таблица/Портал/Английская Википедия}}
[[Категория:Английская Википедия]]
[[Категория:Википедия]]
[[Категория:Статья из Википедии]]
[[Категория:Статья из Английской Википедии]]

Английская Википедия:Framekiller - История изменений