Raymond Camden's ColdFusion Blog: Busting Frames

Busting Frames

I discovered today that my site was being aggregated by Amsay.com. This is ok, but I notice s/he was framing my web pages and showing ads in the left frame. That I don't feel so good about. I quickly added this to my body tag, and I will be adding it to the core blogcfc code.

view plain print about

<body onload="if(top != self) top.location.href=self.location.href">

1 <body onload="if(top != self) top.location.href=self.location.href">

This entry was posted on Friday, August 18, 2006 at 11:34 AM. It was filed in the following categories: Development. It has been viewed 3,093 times and has 27 comments.

TweetBacks

Comments

[Add Comment] [Subscribe to Comments]

Comment 1 written by Scott Stroz on 18 August 2006, at 11:39 AM

Personally, I think you should redirect them to pr0n.
Comment 2 written by Dan on 18 August 2006, at 11:56 AM

I had problem with this before.

I went the pr0n route - but that's only if you check the referer.

They deserve it. They really do.
Comment 3 written by Steve Bryant on 18 August 2006, at 12:10 PM

Just as a code nit, I try to avoid adding JavaScript to the onload attribute of the body tag (actually, I prefer to use Unobtrusive JavaScript and keep by JS out of my HTML completely).

As such, I typically use addEvent() for this purpose.

I would have the following code in my .js file. This will allow you to add multiple events to your page load and none of the need worry about whether others exist.

//use once (from onlinetools.org)
function addEvent(obj, evType, fn) {
   if (obj.addEventListener){
      obj.addEventListener(evType, fn, true);
      return true;
   } else if (obj.attachEvent){
      var r = obj.attachEvent("on"+evType, fn);
      return r;
   } else {
      return false;
   }
}
function frameBuster() {
   if(top != self){
      top.location.href=self.location.href
   }
}
addEvent(window,'load',frameBuster);
Comment 4 written by Joel Cox on 18 August 2006, at 12:27 PM

Some personal firewalls block the body onload scripts from firing. An easy workaround is to add this instead:

<script>
function init() {
if(top != self) top.location.href=self.location.href;
}
onload=init;
</script>
Comment 5 written by Cutter on 18 August 2006, at 12:28 PM

Just out of curiosity, what does this do to your site stats? Would it count as to views? The one initially framed page and the afterwards frame busted page?....
Comment 6 written by Raymond Camden on 18 August 2006, at 12:35 PM

Cutter, it would count twice.

Steve/Joel: GOod points, but, I want to keep this short and simple. If a firewall blocks the script, it isn't the end of the world for me.
Comment 7 written by Rob Brooks-Bilson on 18 August 2006, at 1:07 PM

Ray,

If you're going to use JS to do the redirect for pages that frame you, it might be interesting to append a URL token to the redirect, something like ?framebusted=1, so that you can filter it out in the blog stats program you use, or google analytics.
Comment 8 written by Larry C. Lyons on 18 August 2006, at 1:14 PM

> Personally, I think you should redirect them to pr0n.

A friend of mine had something of this problem a couple of years ago. Someone else was leeching his site's content. So what he did is redo his site so that the images were replaced with mostly obscured pRon. Then he put a message on them that said "---.com is stealing these images. Until they stop, a lot more of this image will be revealed." Much to the dissappointment (I imagine) of at least some users, the leech stopped after a couple of days.

Myself, I've just used Ray's approach.

larry
Comment 9 written by Scott Stroz on 18 August 2006, at 1:22 PM

Rob - Not sure if you noticed, but your site is being pillaged as well.
Comment 10 written by Rob Brooks-Bilson on 18 August 2006, at 1:50 PM

Thanks Scott - I just noticed that after reading this post. I slapped Ray's original code in (to make diffing easier). That's part of why I suggested adding a URL string so it could be more easily tracked.

It'll be interesting to see how much traffic comes from their aggregator.
Comment 11 written by Steve Bryant on 18 August 2006, at 3:19 PM

Ray,

You might consider replacing:
top.location.href=self.location.href;

with:

top.location.replace(self.location.href);

This just replaces their frame with your page in the users history so that when they hit the "Back" button they don't get forward back to your page (after all, messing with the "Back" button is major bad mojo for usability).
Comment 12 written by John Dowdell on 18 August 2006, at 4:23 PM

If you're looking for a good redirect page, then this seems a likely candidate:
https://www.google.com/support/adsense/bin/answer....

There's info on their policies here:
"Any method that artificially generates clicks or impressions is strictly prohibited. These prohibited methods include but are not limited to: repeated manual clicks or impressions, incentives to click or to generate impressions, using robots, automated click and impression generating tools, third-party services that generate clicks or impressions such as paid-to-click, paid-to-surf, autosurf, and click-exchange programs, or any deceptive software."
https://www.google.com/adsense/policies?sourceid=a...

Sounds like a robot to me...?
Comment 13 written by Chris Scott on 18 August 2006, at 9:51 PM

You might as well know the email and phone number of the jerk who thinks this is a good idea, no?

omain: AMSAY.COM
created: 16-Sep-2005
last-changed: 11-May-2006
registration-expiration: 16-Sep-2006

nserver: ns29.1and1.com 217.160.224.2
nserver: ns30.1and1.com 217.160.228.2

status: CLIENT-TRANSFER-PROHIBITED

registrant-firstname: King
registrant-lastname: Wang
registrant-organization: cnight.
registrant-street1: unit a 18/f
registrant-pcode: 11001
registrant-state: AL
registrant-city: sun
registrant-ccode: US
registrant-phone: +43.2448276433
registrant-email: playmsg@gmail.com
Comment 14 written by Raymond Camden on 19 August 2006, at 8:57 PM

Steve, I made your change both on my blog and in blogcfc.
Comment 15 written by Tom Mollerus on 20 August 2006, at 10:38 AM

Ray,

Right now when I go on the amsay.com site, your redirect code works very quickly. But while I was on vacation last week I accessed the same page, and the frame with your page took so long to load that the onLoad event effectively never occurred. Is there any reason not to run the script immediately in the page header instead of putting it in an onload event?
Comment 16 written by Tom Mollerus on 20 August 2006, at 10:40 AM

I meant to mention in the previous posting that while on vacation I was on a slower computer using a browser that seems to have had trouble loading some images. The point is that you can't always depend on the onLoad event firing in a timely manner.
Comment 17 written by Larry C. Lyons on 20 August 2006, at 11:05 AM

ironically enough, if you go to amsay.com and look at the entry for Ray, its about the frame busting.

larry
Comment 18 written by Raymond Camden on 20 August 2006, at 12:54 PM

Tom, thanks for the warning. I put it in the onLoad just because. I'm ok if it isn't 100% effective.
Comment 19 written by Stephen Moretti on 21 August 2006, at 3:37 AM

Charlie Arehart is also afflicted by this nastiness.
Comment 20 written by Says So on 22 August 2006, at 7:10 AM

That guy makes your page show up in a frame, also he has google adsense ads running beside the pages he steals, this is a violation of the Google rules, he will loose his google account if you contact Google.
Comment 21 written by Nick Vincent on 18 October 2006, at 2:00 PM

Does anyone have a simple instruction on how to redirect someone based on the top frame URL? I've having a few people who are framing my page and I want to redirect users who are coming in from those domain names to go elseware.

Thanks.
Comment 22 written by Raymond Camden on 18 October 2006, at 2:06 PM

I don't know it off the top of my head, but JavaScript gives you easy access to the current URL. So you should be able to easily get the host, and do:

if host is a, do x

else do y
Comment 23 written by Larry C. Lyons on 18 October 2006, at 2:13 PM

Here's what I use in Javascript to access the top frame:

if(self != top ){
top.location.href = location.href;
}

for a starter this should help.

regards,
larry
Comment 24 written by Nick Vincent on 18 October 2006, at 2:17 PM

Sorry, I'm a real newbie to JS scripting.

If I'm using

if(self != top ){
top.location.href = location.href;
}

what is the basic code to look at the top URL,
say for example cnn.com, and based on that
return, spit it to a different place (undesired location)...

if (top.location.href == "http://cnn.com";) {
top.location.href = "http://www.gohere.com;
}

Something like that?
Comment 25 written by Raymond Camden on 18 October 2006, at 2:32 PM

Check this -

http://www.irt.org/xref/Location.htm

it is a ref to the location object. If you want, you can get the host by itself easily enough.
Comment 26 written by Nick Vincent on 18 October 2006, at 2:51 PM

I believe this works... Anyone see potential pitfalls?

<script LANGUAGE="JAVASCRIPT">
if (window.top != window.self)
{
window.top.location="http://www.cnn.com";
}

</script>
Comment 27 written by Scott Johnson on 24 January 2008, at 12:03 PM

Not sure how many other people this affects, but I catch up on most blogs through Netvibes. Love the blog, but I have to say that it's a hassle to view with Netvibes. You can either see a feed view, which is abbreviated in your case, or you can view the actual site from within netvibes, which gets broken because of this particular script. Not a huge deal, but most other blogs seem to work just fine one way or the other.

[Add Comment] [Subscribe to Comments]

coldfusionJedi

coldfusion, flex, ajax, and stuff

Busting Frames

TweetBacks

Comments

Sponsors

Subscribe

Categories

Who am I?

Recent Posts

Recent Comments

BlogCFC