The right and right of FrameBusting

Frame busting is an implementation that uses js to determine location to prevent web pages from being embedded by iframe:

If (top. location! = Location)
Top. location = self. location;

If you still do not understand it, please wikipedia.

I remember that this was still available on the Baidu homepage. I wanted to test the implementation of bypassing Baidu. Today, I saw that Baidu did not know when to withdraw it.

On the 20th, some foreigners published paper, discussing the implementation and bypassing skills of various framebusting:

Http://seclab.stanford.edu/websec/framebusting/framebust.pdf

This is produced by the stanford security lab that black brother worships very much. It must be a boutique.

In terms of technological innovation, only 3.5-4 points can be given. However, the author's earnest attitude and comprehensive data collection are highlights of this paper.

Summary:
Several attack methods:
1. Secondary frame (not for top. location, but for parent. location)
2. Use the onbeforeunload event
3. xss
4. Construct a referer to bypass js referer checks
5. browser vulnerabilities (the location change bug in IE 7 that eggplant once pointed out)
6. iframe security Attribute (only supported by IE)
7. iframe sandbox attribute (HTML5)
8. browser designmode
9. Some mobile phone sites

Recommended defense methods:
1. X-Frame-Options (I remember this header in my blog)
2. CSP (mozilla project, search my blog)
3. The method of using the hidden element is a little handy, but useful and common.