Busting Frames

I discovered today that my site was being aggregated by Amsay.com. This is ok, but I notice s/he was framing my web pages and showing ads in the left frame. That I don't feel so good about. I quickly added this to my body tag, and I will be adding it to the core blogcfc code.

<body onload="if(top != self) top.location.href=self.location.href">

Comments (27) Aug 18, 2006 11:34 AM Views: 2993

Comments

[Add Comment]
Scott Stroz's Gravatar Personally, I think you should redirect them to pr0n.
# Posted By Scott Stroz | 8/18/06 11:39 AM
Dan's Gravatar I had problem with this before.

I went the pr0n route - but that's only if you check the referer.

They deserve it. They really do.
# Posted By Dan | 8/18/06 11:56 AM
Steve Bryant's Gravatar Just as a code nit, I try to avoid adding JavaScript to the onload attribute of the body tag (actually, I prefer to use Unobtrusive JavaScript and keep by JS out of my HTML completely).

As such, I typically use addEvent() for this purpose.

I would have the following code in my .js file. This will allow you to add multiple events to your page load and none of the need worry about whether others exist.

//use once (from onlinetools.org)
function addEvent(obj, evType, fn) {
   if (obj.addEventListener){
      obj.addEventListener(evType, fn, true);
      return true;
   } else if (obj.attachEvent){
      var r = obj.attachEvent("on"+evType, fn);
      return r;
   } else {
      return false;
   }
}
function frameBuster() {
   if(top != self){
      top.location.href=self.location.href
   }
}
addEvent(window,'load',frameBuster);
# Posted By Steve Bryant | 8/18/06 12:10 PM
Joel Cox's Gravatar Some personal firewalls block the body onload scripts from firing. An easy workaround is to add this instead:

<script>
function init() {
if(top != self) top.location.href=self.location.href;
}
onload=init;
</script>
# Posted By Joel Cox | 8/18/06 12:27 PM
Cutter's Gravatar Just out of curiosity, what does this do to your site stats? Would it count as to views? The one initially framed page and the afterwards frame busted page?....
# Posted By Cutter | 8/18/06 12:28 PM
Raymond Camden's Gravatar Cutter, it would count twice.

Steve/Joel: GOod points, but, I want to keep this short and simple. If a firewall blocks the script, it isn't the end of the world for me.
# Posted By Raymond Camden | 8/18/06 12:35 PM
Rob Brooks-Bilson's Gravatar Ray,

If you're going to use JS to do the redirect for pages that frame you, it might be interesting to append a URL token to the redirect, something like ?framebusted=1, so that you can filter it out in the blog stats program you use, or google analytics.
# Posted By Rob Brooks-Bilson | 8/18/06 1:07 PM
Larry C. Lyons's Gravatar > Personally, I think you should redirect them to pr0n.

A friend of mine had something of this problem a couple of years ago. Someone else was leeching his site's content. So what he did is redo his site so that the images were replaced with mostly obscured pRon. Then he put a message on them that said "---.com is stealing these images. Until they stop, a lot more of this image will be revealed." Much to the dissappointment (I imagine) of at least some users, the leech stopped after a couple of days.

Myself, I've just used Ray's approach.

larry
# Posted By Larry C. Lyons | 8/18/06 1:14 PM
Scott Stroz's Gravatar Rob - Not sure if you noticed, but your site is being pillaged as well.
# Posted By Scott Stroz | 8/18/06 1:22 PM
Rob Brooks-Bilson's Gravatar Thanks Scott - I just noticed that after reading this post. I slapped Ray's original code in (to make diffing easier). That's part of why I suggested adding a URL string so it could be more easily tracked.

It'll be interesting to see how much traffic comes from their aggregator.
# Posted By Rob Brooks-Bilson | 8/18/06 1:50 PM
Steve Bryant's Gravatar Ray,

You might consider replacing:
top.location.href=self.location.href;

with:

top.location.replace(self.location.href);

This just replaces their frame with your page in the users history so that when they hit the "Back" button they don't get forward back to your page (after all, messing with the "Back" button is major bad mojo for usability).
# Posted By Steve Bryant | 8/18/06 3:19 PM
John Dowdell's Gravatar If you're looking for a good redirect page, then this seems a likely candidate:
https://www.google.com/support/adsense/bin/answer....

There's info on their policies here:
"Any method that artificially generates clicks or impressions is strictly prohibited. These prohibited methods include but are not limited to: repeated manual clicks or impressions, incentives to click or to generate impressions, using robots, automated click and impression generating tools, third-party services that generate clicks or impressions such as paid-to-click, paid-to-surf, autosurf, and click-exchange programs, or any deceptive software."
https://www.google.com/adsense/policies?sourceid=a...

Sounds like a robot to me...?
# Posted By John Dowdell | 8/18/06 4:23 PM
Chris Scott's Gravatar You might as well know the email and phone number of the jerk who thinks this is a good idea, no?

omain: AMSAY.COM
created: 16-Sep-2005
last-changed: 11-May-2006
registration-expiration: 16-Sep-2006

nserver: ns29.1and1.com 217.160.224.2
nserver: ns30.1and1.com 217.160.228.2

status: CLIENT-TRANSFER-PROHIBITED

registrant-firstname: King
registrant-lastname: Wang
registrant-organization: cnight.
registrant-street1: unit a 18/f
registrant-pcode: 11001
registrant-state: AL
registrant-city: sun
registrant-ccode: US
registrant-phone: +43.2448276433
registrant-email: playmsg@gmail.com
# Posted By Chris Scott | 8/18/06 9:51 PM
Raymond Camden's Gravatar Steve, I made your change both on my blog and in blogcfc.
# Posted By Raymond Camden | 8/19/06 8:57 PM
Tom Mollerus's Gravatar Ray,

Right now when I go on the amsay.com site, your redirect code works very quickly. But while I was on vacation last week I accessed the same page, and the frame with your page took so long to load that the onLoad event effectively never occurred. Is there any reason not to run the script immediately in the page header instead of putting it in an onload event?
# Posted By Tom Mollerus | 8/20/06 10:38 AM
Tom Mollerus's Gravatar I meant to mention in the previous posting that while on vacation I was on a slower computer using a browser that seems to have had trouble loading some images. The point is that you can't always depend on the onLoad event firing in a timely manner.
# Posted By Tom Mollerus | 8/20/06 10:40 AM
Larry C. Lyons's Gravatar ironically enough, if you go to amsay.com and look at the entry for Ray, its about the frame busting.

larry
# Posted By Larry C. Lyons | 8/20/06 11:05 AM
Raymond Camden's Gravatar Tom, thanks for the warning. I put it in the onLoad just because. I'm ok if it isn't 100% effective.
# Posted By Raymond Camden | 8/20/06 12:54 PM
Stephen Moretti's Gravatar Charlie Arehart is also afflicted by this nastiness.
# Posted By Stephen Moretti | 8/21/06 3:37 AM
Says So's Gravatar That guy makes your page show up in a frame, also he has google adsense ads running beside the pages he steals, this is a violation of the Google rules, he will loose his google account if you contact Google.
# Posted By Says So | 8/22/06 7:10 AM
Nick Vincent's Gravatar Does anyone have a simple instruction on how to redirect someone based on the top frame URL? I've having a few people who are framing my page and I want to redirect users who are coming in from those domain names to go elseware.

Thanks.
# Posted By Nick Vincent | 10/18/06 2:00 PM
Raymond Camden's Gravatar I don't know it off the top of my head, but JavaScript gives you easy access to the current URL. So you should be able to easily get the host, and do:

if host is a, do x

else do y
# Posted By Raymond Camden | 10/18/06 2:06 PM
Larry C. Lyons's Gravatar Here's what I use in Javascript to access the top frame:

if(self != top ){
top.location.href = location.href;
}

for a starter this should help.

regards,
larry
# Posted By Larry C. Lyons | 10/18/06 2:13 PM
Nick Vincent's Gravatar Sorry, I'm a real newbie to JS scripting.

If I'm using

if(self != top ){
top.location.href = location.href;
}

what is the basic code to look at the top URL,
say for example cnn.com, and based on that
return, spit it to a different place (undesired location)...

if (top.location.href == "http://cnn.com";) {
top.location.href = "http://www.gohere.com;
}

Something like that?
# Posted By Nick Vincent | 10/18/06 2:17 PM
Raymond Camden's Gravatar Check this -

http://www.irt.org/xref/Location.htm

it is a ref to the location object. If you want, you can get the host by itself easily enough.
# Posted By Raymond Camden | 10/18/06 2:32 PM
Nick Vincent's Gravatar I believe this works... Anyone see potential pitfalls?

<script LANGUAGE="JAVASCRIPT">
if (window.top != window.self)
{
window.top.location="http://www.cnn.com";
}

</script>
# Posted By Nick Vincent | 10/18/06 2:51 PM
Scott Johnson's Gravatar Not sure how many other people this affects, but I catch up on most blogs through Netvibes. Love the blog, but I have to say that it's a hassle to view with Netvibes. You can either see a feed view, which is abbreviated in your case, or you can view the actual site from within netvibes, which gets broken because of this particular script. Not a huge deal, but most other blogs seem to work just fine one way or the other.
# Posted By Scott Johnson | 1/24/08 12:03 PM
[Add Comment]