Organizational Research By

Surprising Reserch Topic

how to prevent iframe from redirecting top level window

how to prevent iframe from redirecting top level window  using -'javascript,html,iframe'

Some websites have code to "break out" of IFRAME enclosures, meaning that if a page A is loaded as an IFRAME inside an parent page P some Javascript in A redirects the outer window to A.

Typically this Javascript looks something like this:

<script type="text/javascript">
  if (top.location.href != self.location.href)
     top.location.href = self.location.href;

My question is: As the author of the parent page P and not being the author of the inner page A, how can I prevent A from doing this break-out?

P.S. It seems to me like it ought to be a cross-site security violation, but it isn't.

asked Sep 16, 2015 by yogeshplv
0 votes

Related Hot Questions

Government Jobs Opening

and onload="frameLoad()" and onreadystatechange="frameLoad();" must be added to the frame or iframe.

answered Sep 16, 2015 by girisha
0 votes
0 votes

I use sandbox="..."

  • allow-forms allows form submission
  • allow-popups allows popups
  • allow-pointer-lock allows pointer lock
  • allow-same-origin allows the document to maintain its origin
  • allow-scripts allows JavaScript execution, and also allows features to trigger automatically
  • allow-top-navigation allows the document to break out of the frame by navigating the top-level window

Top navigation is what you want to prevent, so leave that out and it will not be allowed. Anything left out will be blocked


answered Sep 16, 2015 by mtabakade
0 votes

Since the page you load inside the iframe can execute the "break out" code with a setInterval, onbeforeunload might not be that practical, since it could flud the user with 'Are you sure you want to leave?' dialogs.

There is also the iframe security attribute which only works on IE & Opera


answered Sep 16, 2015 by akhilesh
0 votes

In my case I want the user to visit the inner page so that server will see their ip as a visitor. If I use the php proxy technique I think that the inner page will see my server ip as a visitor so it is not good. The only solution I got so far is wilth onbeforeunload. Put this on your page:

This works both in firefox and ie, thats what I tested for. you will find versions using something like evt.return(whatever) crap... that doesn't work in firefox.

answered Sep 16, 2015 by nimisha.jagtap