Frame busting is an implementation that uses js to determine location to prevent web pages from being embedded by iframe:
If (top. location! = Location)
Top. location = self. location;
If you still do not understand it, please wikipedia.
I remember that this was still available on the Baidu homepage. I wanted to test the implementation of bypassing Baidu. Today, I saw that Baidu did not know when to withdraw it.
On the 20th, some foreigners published paper, discussing the implementation and bypassing skills of various framebusting:
Http://seclab.stanford.edu/websec/framebusting/framebust.pdf
This is produced by the stanford security lab that black brother worships very much. It must be a boutique.
In terms of technological innovation, only 3.5-4 points can be given. However, the author's earnest attitude and comprehensive data collection are highlights of this paper.
Summary:
Several attack methods:
1. Secondary frame (not for top. location, but for parent. location)
2. Use the onbeforeunload event
3. xss
4. Construct a referer to bypass js referer checks
5. browser vulnerabilities (the location change bug in IE 7 that eggplant once pointed out)
6. iframe security Attribute (only supported by IE)
7. iframe sandbox attribute (HTML5)
8. browser designmode
9. Some mobile phone sites
Recommended defense methods:
1. X-Frame-Options (I remember this header in my blog)
2. CSP (mozilla project, search my blog)
3. The method of using the hidden element is a little handy, but useful and common.