Raymond Camden's Blog Rss

Busting Frames

27

Posted in Development | Posted on 08-18-2006 | 3,811 views

I discovered today that my site was being aggregated by Amsay.com. This is ok, but I notice s/he was framing my web pages and showing ads in the left frame. That I don't feel so good about. I quickly added this to my body tag, and I will be adding it to the core blogcfc code.

view plain print about
1<body onload="if(top != self) top.location.href=self.location.href">

Comments

[Add Comment] [Subscribe to Comments]

Scott Stroz said on 08-18-2006 at 11:39 AM #
Personally, I think you should redirect them to pr0n.
Dan said on 08-18-2006 at 11:56 AM #
I had problem with this before.

I went the pr0n route - but that's only if you check the referer.

They deserve it. They really do.
Steve Bryant said on 08-18-2006 at 12:10 PM #
Just as a code nit, I try to avoid adding JavaScript to the onload attribute of the body tag (actually, I prefer to use Unobtrusive JavaScript and keep by JS out of my HTML completely).

As such, I typically use addEvent() for this purpose.

I would have the following code in my .js file. This will allow you to add multiple events to your page load and none of the need worry about whether others exist.

//use once (from onlinetools.org)
function addEvent(obj, evType, fn) {
   if (obj.addEventListener){
      obj.addEventListener(evType, fn, true);
      return true;
   } else if (obj.attachEvent){
      var r = obj.attachEvent("on"+evType, fn);
      return r;
   } else {
      return false;
   }
}
function frameBuster() {
   if(top != self){
      top.location.href=self.location.href
   }
}
addEvent(window,'load',frameBuster);
Joel Cox said on 08-18-2006 at 12:27 PM #
Some personal firewalls block the body onload scripts from firing. An easy workaround is to add this instead:

<script>
function init() {
if(top != self) top.location.href=self.location.href;
}
onload=init;
</script>
Cutter said on 08-18-2006 at 12:28 PM #
Just out of curiosity, what does this do to your site stats? Would it count as to views? The one initially framed page and the afterwards frame busted page?....
Raymond Camden said on 08-18-2006 at 12:35 PM #
Cutter, it would count twice.

Steve/Joel: GOod points, but, I want to keep this short and simple. If a firewall blocks the script, it isn't the end of the world for me.
Rob Brooks-Bilson said on 08-18-2006 at 1:07 PM #
Ray,

If you're going to use JS to do the redirect for pages that frame you, it might be interesting to append a URL token to the redirect, something like ?framebusted=1, so that you can filter it out in the blog stats program you use, or google analytics.
Larry C. Lyons said on 08-18-2006 at 1:14 PM #
> Personally, I think you should redirect them to pr0n.

A friend of mine had something of this problem a couple of years ago. Someone else was leeching his site's content. So what he did is redo his site so that the images were replaced with mostly obscured pRon. Then he put a message on them that said "---.com is stealing these images. Until they stop, a lot more of this image will be revealed." Much to the dissappointment (I imagine) of at least some users, the leech stopped after a couple of days.

Myself, I've just used Ray's approach.

larry
Scott Stroz said on 08-18-2006 at 1:22 PM #
Rob - Not sure if you noticed, but your site is being pillaged as well.
Rob Brooks-Bilson said on 08-18-2006 at 1:50 PM #
Thanks Scott - I just noticed that after reading this post. I slapped Ray's original code in (to make diffing easier). That's part of why I suggested adding a URL string so it could be more easily tracked.

It'll be interesting to see how much traffic comes from their aggregator.
Steve Bryant said on 08-18-2006 at 3:19 PM #
Ray,

You might consider replacing:
top.location.href=self.location.href;

with:

top.location.replace(self.location.href);

This just replaces their frame with your page in the users history so that when they hit the "Back" button they don't get forward back to your page (after all, messing with the "Back" button is major bad mojo for usability).
John Dowdell said on 08-18-2006 at 4:23 PM #
If you're looking for a good redirect page, then this seems a likely candidate:
https://www.google.com/support/adsense/bin/answer....

There's info on their policies here:
"Any method that artificially generates clicks or impressions is strictly prohibited. These prohibited methods include but are not limited to: repeated manual clicks or impressions, incentives to click or to generate impressions, using robots, automated click and impression generating tools, third-party services that generate clicks or impressions such as paid-to-click, paid-to-surf, autosurf, and click-exchange programs, or any deceptive software."
https://www.google.com/adsense/policies?sourceid=a...

Sounds like a robot to me...?
Chris Scott said on 08-18-2006 at 9:51 PM #
You might as well know the email and phone number of the jerk who thinks this is a good idea, no?

omain: AMSAY.COM
created: 16-Sep-2005
last-changed: 11-May-2006
registration-expiration: 16-Sep-2006

nserver: ns29.1and1.com 217.160.224.2
nserver: ns30.1and1.com 217.160.228.2

status: CLIENT-TRANSFER-PROHIBITED

registrant-firstname: King
registrant-lastname: Wang
registrant-organization: cnight.
registrant-street1: unit a 18/f
registrant-pcode: 11001
registrant-state: AL
registrant-city: sun
registrant-ccode: US
registrant-phone: +43.2448276433
registrant-email: playmsg@gmail.com
Raymond Camden said on 08-19-2006 at 8:57 PM #
Steve, I made your change both on my blog and in blogcfc.
Tom Mollerus said on 08-20-2006 at 10:38 AM #
Ray,

Right now when I go on the amsay.com site, your redirect code works very quickly. But while I was on vacation last week I accessed the same page, and the frame with your page took so long to load that the onLoad event effectively never occurred. Is there any reason not to run the script immediately in the page header instead of putting it in an onload event?
Tom Mollerus said on 08-20-2006 at 10:40 AM #
I meant to mention in the previous posting that while on vacation I was on a slower computer using a browser that seems to have had trouble loading some images. The point is that you can't always depend on the onLoad event firing in a timely manner.
Larry C. Lyons said on 08-20-2006 at 11:05 AM #
ironically enough, if you go to amsay.com and look at the entry for Ray, its about the frame busting.

larry
Raymond Camden said on 08-20-2006 at 12:54 PM #
Tom, thanks for the warning. I put it in the onLoad just because. I'm ok if it isn't 100% effective.
Stephen Moretti said on 08-21-2006 at 3:37 AM #
Charlie Arehart is also afflicted by this nastiness.
Says So said on 08-22-2006 at 7:10 AM #
That guy makes your page show up in a frame, also he has google adsense ads running beside the pages he steals, this is a violation of the Google rules, he will loose his google account if you contact Google.
Nick Vincent said on 10-18-2006 at 2:00 PM #
Does anyone have a simple instruction on how to redirect someone based on the top frame URL? I've having a few people who are framing my page and I want to redirect users who are coming in from those domain names to go elseware.

Thanks.
Raymond Camden said on 10-18-2006 at 2:06 PM #
I don't know it off the top of my head, but JavaScript gives you easy access to the current URL. So you should be able to easily get the host, and do:

if host is a, do x

else do y
Larry C. Lyons said on 10-18-2006 at 2:13 PM #
Here's what I use in Javascript to access the top frame:

if(self != top ){
top.location.href = location.href;
}

for a starter this should help.

regards,
larry
Nick Vincent said on 10-18-2006 at 2:17 PM #
Sorry, I'm a real newbie to JS scripting.

If I'm using

if(self != top ){
top.location.href = location.href;
}

what is the basic code to look at the top URL,
say for example cnn.com, and based on that
return, spit it to a different place (undesired location)...

if (top.location.href == "http://cnn.com";) {
top.location.href = "http://www.gohere.com;
}

Something like that?
Raymond Camden said on 10-18-2006 at 2:32 PM #
Check this -

http://www.irt.org/xref/Location.htm

it is a ref to the location object. If you want, you can get the host by itself easily enough.
Nick Vincent said on 10-18-2006 at 2:51 PM #
I believe this works... Anyone see potential pitfalls?

<script LANGUAGE="JAVASCRIPT">
if (window.top != window.self)
{
window.top.location="http://www.cnn.com";
}

</script>
Scott Johnson said on 01-24-2008 at 12:03 PM #
Not sure how many other people this affects, but I catch up on most blogs through Netvibes. Love the blog, but I have to say that it's a hassle to view with Netvibes. You can either see a feed view, which is abbreviated in your case, or you can view the actual site from within netvibes, which gets broken because of this particular script. Not a huge deal, but most other blogs seem to work just fine one way or the other.

[Add Comment] [Subscribe to Comments]