Framekiller

From Seo Wiki - Search Engine Optimization and Programming Languages
Jump to navigationJump to search

A framekiller (or framebuster) is a piece of JavaScript code that doesn't allow a Web page to be displayed within a frame. A frame is a subdivision of a Web browser window and can act like a smaller window. This kind of script is often used to prevent a frame from an external Web site being loaded from within a frameset without permission.

The typical source code for a framekiller script is:

<script type="text/javascript">if (top != self) top.location.replace(self.location.href);</script>

A variation that lets the user know why they are being redirected with the use of a pop-up alert is:

<script type="text/javascript">
    if (top != self) {
        alert('The URL '+self.location.href+' cannot be viewed inside a frame.  You will be redirected.');
        top.location.replace(self.location.href);
    }
</script>

Framekiller Killers

The above framekiller can be prevented from working with the following javascript along with a server which responds with a 204, as discovered here: http://coderrr.wordpress.com/2009/02/13/preventing-frame-busting-and-click-jacking-ui-redressing/

 var prevent_bust = 0
 window.onbeforeunload = function() { prevent_bust++ }
 setInterval(function() {
   if (prevent_bust > 0) {
     prevent_bust -= 2
     window.top.location = 'http://server-which-responds-with-204.com'
   }
 }, 1)

Alternative Solution

An alternative choice is to allow the user to determine whether to let the framekiller work, as discoverd here: http://www.farelog.com/doc/Framekiller_Killer.aspx

 var framekiller = true;
 window.onbeforeunload = function() { 
   if(framekiller) {
     return "...";  //"..." can be any message that helps user to make decision
   }
 }

and the code below should be added after the frame tag:

 //"iframe" should be changed according to the real id/name of the frame in your page 
 document.getElementById("iframe").onload = function() { 
   framekiller = false;
 }

Limitations

This client-side Javascript solution relies on the end-user's browser to enforce their own security. This makes it a beneficial but unreliable means of disallowing your page to be embedded in other pages. The following situations may render the script above useless:

  • The user agent does not support JavaScript.
  • The user agent supports JavaScript but the user has turned support off.
  • The user agent's JavaScript support is flawed or partially implemented.
  • The user agent's behavior is modified by a virus or plug-in (possibly without the user's knowledge) in a way that undermines the framekiller script.

de:Framekiller