Any technique which prevents a website from being rendered inside Iframe comes under Iframe Busting Techniques. Due to Security issues like clickjacking, various types of Iframe busting techniques are used.
Simple Iframe Busting (JS Code)
This is one of the simple Iframe Busting techniques which just says
topwindow, change the url of top window.
This technique is considered week as there are easy options to bypass it.
Bypass Iframe Code Busters
sandbox attribute can be used on iframe to allow forms, popups and scripts but block parent navigation.
So the frame won’t be able to change Url of parent window. It just throws an error in console.
Checkout this demo on Jsbin. You should see the following error in
Reliable Iframe Busting (X-Frame-Options)
X-Frame-Options response header is very reliable approach for busting Iframes. Its not easy to bypass this HTTP response header. One may need to setup a proxy server to fetch the content from website and return the response to browser.
There are three possible values for X-Frame-Options:
- DENY: Browser will not render page inside frame irrespective of the domain of parent page.
- SAMEORIGIN: Browser will render page inside iframe only if page domain is same as domain of parent page.
- ALLOW-FROM uri: Browser will render page inside iframe only if domain of parent page is same as specified as
Checkout this demo on Jsbin. You should see the following error in developer tools.
There is no simple way to circumvent this response header. This is why this is considered as one of the most reliable Iframe Busting techniques.
Bypass X-Frame-Options header on your machine
There are tools available to bypass HTTP response header on your machine though.
- Charles Proxy
- Browser extensions like Requestly for Chrome, Modify Response Headers for Firefox
Using Requestly (Chrome) to modify Headers
Requestly is a popular Chrome Extension which allows you to modify HTTP(s) requests. It can be used to remove HTTP response header like this:
Import Requestly Rule
Requestly also provides another great feature to export/import rules.You can download above rule here and import in your extension
Using Modify Response Header (Firefox)
Modify Response Headers is a firefox add-on which allows you to modify HTTP(s) response headers. It can be used to remove HTTP response header like this: