JavaScript FrameBuster Snippet

By  on  

Oftentimes you want to make sure your site isn't being IFRAME'd.  Sometimes it's for security reasons, other times it's so your site's content isn't being skimmed else, and other times it's...oh, who cares, you just want to do it.  Here's a short way to escape frames:

if (top.location != self.location) {
    top.location = self.location.href;
}

Uglify this and you get 63 characters of gold.  Simple, effective.

Recent Features

  • By
    CSS vs. JS Animation: Which is Faster?

    How is it possible that JavaScript-based animation has secretly always been as fast — or faster — than CSS transitions? And, how is it possible that Adobe and Google consistently release media-rich mobile sites that rival the performance of native apps? This article serves as a point-by-point...

  • By
    How I Stopped WordPress Comment Spam

    I love almost every part of being a tech blogger:  learning, preaching, bantering, researching.  The one part about blogging that I absolutely loathe:  dealing with SPAM comments.  For the past two years, my blog has registered 8,000+ SPAM comments per day.  PER DAY.  Bloating my database...

Incredible Demos

  • By
    Create a Brilliant Sprited, CSS-Powered Firefox Animation

    Mozilla recently formally announced Firefox OS and its partners at Mobile World Congress and I couldn't be more excited.  Firefox OS is going to change the lives of people in developing countries, hopefully making a name for itself in the US as well.  The...

  • By
    HTML5 Input Types Alternative

    As you may know, HTML5 has introduced several new input types: number, date, color, range, etc. The question is: should you start using these controls or not? As much as I want to say "Yes", I think they are not yet ready for any real life...

Discussion

  1. Sorry bit of a jacascript noob here – this sounds great but how would one implement it? Where does it go?

    Again apologies for what must sound a simple question.

    • Eric

      Just toss it at the top of your javascript file :). Really anywhere in your JS this would work.

    • Just don’t put it inside a function unless that your intention. For example if for some reason you want to give your users a chance to make sure the page isn’t iframed by clicking a button then you put that code in a function say unIFrameMe() and then call that function when onclick the button.

      In general, you’ll want this code to be outside of a function, so it is run when the js is loaded.

      EMILIO!

  2. Thanks for the answers re the javascript.

    htaccess solutions might be better as they are not so easily bypassed:

    To blocks all sites (including your own) from iframing your pages:

    Header append X-FRAME-OPTIONS "DENY"
    

    or to block any external site from iframing your pages:

    Header append X-FRAME-OPTIONS "SAMEORIGIN"
    
  3. You can also only block some of your urls with the x-frame-options header. Here’s an apache solution

    Header always append X-Frame-Options SAMEORIGIN # Block any site from applying an iframe.

  4. Apparently I didn’t use `pre` tags.

    Header always append X-Frame-Options SAMEORIGIN # Block any site from applying an iframe.
    

Wrap your code in <pre class="{language}"></pre> tags, link to a GitHub gist, JSFiddle fiddle, or CodePen pen to embed!