Raising the bar - whitelisted frame busting

March 2nd, 2009

There’s an interesting new trend emerging among web companies - putting a contextualized bar on top of external pages.

StumbleUpon has been doing this for a long time, but the broader trend seems to be new. Facebook started doing it not too long ago, and Digg’s version is currently in beta testing.

The common denominator of the “bar companies” is a wealth of links passing through their servers. They rewrite links passed through their network to point to a page on their own domain, on which they have a bar on top and an iframe below that includes the original, external site.

Being iframed can be annoying, and is easy to avoid. The following javascript snippet “frame busts” your site such that no one can iframe you:

if (location != top.location) { top.location = location }

However, some of these top bars may very well add value to your site. For example, your site becomes more viral - a visitor with the bar on top is probably more likely to share that page with a friend than someone without the bar. Can you allow for some sites to iframe you, but not others? It would look something like:

function frameBustSelectively() {
  // if we're not being framed, just return
  if (top.location == location) { return; }

  // if we're framed by an ok site, just return
  var okDomains = {
    'www.digg.com': true,
    'www.stumbleupon.com': true,
    'www.facebook.com': true
  }
  if (top.location.hostname.toString() in okDomains) { return; }

  // we're framed by a not-ok site - frame bust...
  top.location = location;
}

This is unfortunately not possible. The browser same-origin security model allows you to compare the locations of your current frame and the “top” frame. However, you are not allowed not “inspect” the location of the top frame if it is not on your domain. top.location.hostname.toString() will throw an exception…

So do we give up and call it a day? No - we solve it as a community.

This morning I registered www.oFrameBust.com (in the spirit of oEmbed.com). When it comes up in a day or two there will be a javascript include that you can include on your site that will allow for us as a community to go towards whitelisted iframing. How? Well, it requires some cooperation - but it works:

If you want to iframe a page, you pass in an extra oFrameBust=[your domain] parameter in the GET query of the url. The iframed page will have to include the oFrameBust javascript - if it does, the script will parse the oFrameBust domain out of the GET query, and match it against a white list of allowed domains. If there is a match, the script creates an offscreen iframe pointing to [domain]/oFrameBust.html?url=[document.location.href].

That’s the magic moment. Since you allowed to communicate information through the url to other domains, we now have a page that both knows the current page’s url, and is allowed to inspect the location of the top frame. At this point the oFrameBust.html page can verify that the top frame is indeed the whitelisted domain that was passed in through the oFrameBust get parameter by attempting to read the top.location in a try { } catch(e) { } statement. If it is, everything is well! If not - well, then you just parse out the url of the page that was passed in to [domain]/oFrameBust.html, which used that to say top.location=[url];

I’ve got a prototype of this that will be up on www.oFrameBust.com in two days. Keep an eye out! This is totally intended to be an open source, transparent project, so if you’re interested let me know and I’ll keep you in the loop. After all, this could only succeed as a community.

6 Responses to “Raising the bar - whitelisted frame busting”

  1. Posts about Digg as of March 2, 2009 » The Daily Parr Says:

    […] by tiffadmin on March 2nd, 2009 with no comments. Read more articles on Uncategorized. + Digg Raising the bar - whitelisted frame busting - blog.narcvs.com 03/02/2009 There‚Äôs an interesting new trend emerging among web companies - […]

  2. Printer, Rhino 3000 Label Printer Says:

    Printer, Rhino 3000 Label Printer…

    There’s an interesting new trend emerging among web companies - putting a contextualized bar o […]…

  3. Lexmark No.44 Black Ink Cartridge For X9350 Printer Says:

    Lexmark No.44 Black Ink Cartridge For X9350 Printer…

    There’s an interesting new trend emerging among web companies - putting a contextualized bar o […]…

  4. e statement Says:

    […] he is charging me over 4000.00 more then origanial quoted and then he didn’t give me my GFE till 3ajaxlights Blog Archive Raising the bar - whitelisted …… indeed the whitelisted domain that was passed in through the oFrameBust get parameter by […]

  5. gonzo Says:

    Great blog on barcode label printers. I have found it very informative.

    Thanks again

  6. FLOYD Says:


    PillSpot.org. Canadian Health&Care.Best quality drugs.Special Internet Prices.No prescription online pharmacy. Low price pills. Order pills online

    Buy:Mega Hoodia.Nexium.Actos.Human Growth Hormone.Synthroid.Prevacid.Zyban.Prednisolone.Retin-A.100% Pure Okinawan Coral Calcium.Valtrex.Zovirax.Arimidex.Lumigan.Accutane.Petcam (Metacam) Oral Suspension….