Re: Framebreaking without JavaScript?

On Sun, 3 Aug 2008 03:34:51 +0200 (CEST)
Neredbojias <me@http://www.neredbojias.net/_eml/fliam.php> wrote in:
<Xns9AEEBD038599Dneredbojiasnano (AT) 194 (DOT) 177.96.78>

Quote:

On 02 Aug 2008, WebFoot <webfoot@.> wrote:



Jerry Stuckle <jstucklex (AT) attglobal (DOT) net> sez:
WebFoot wrote:
Jerry Stuckle <jstucklex (AT) attglobal (DOT) net> sez:
WebFoot wrote:
Is there a reliable way for a webpage to either break out or
refuse to display when a hostile website puts it in a frame?
[snip]

There is "somewhat" of a solution using the php
$_SERVER['HTTP_REFERER'] superglobal. While, as the manual states,
some browsers ignore or manipulate this, it is nevertheless
statistically effective and certainly applicable to the situation you
describe. My workup doesn't satisfy your "ideal" solution but I think
it complies with your "ok" solution just fine. Using php sessions may
allow the goal to be even better satisfied, but I think sessions have
their own drawbacks.

The code should be obvious, but if it isn't, I will post my own
flavor upon request.

I would like to see an example.

I just can't think of a way to use referer with or without a session
to determine if a page has been framed or just an outside link.


--

BootNic Sun Aug 3, 2008 12:07 pm
My problem lies in reconciling my gross habits with my net income.
*Errol Flynn*

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkiV18sACgkQylMUzZO6jeKrGwCg0rCJx5IqaT 4P2B95nL5SkHME
XOcAoKEmcoNofLIHo4esO9ZCe6FjiRLo
=zhIb
-----END PGP SIGNATURE-----

On 03 Aug 2008, BootNic <bootnic.bounce (AT) gmail (DOT) com> wrote:

Quote:

Is there a reliable way for a webpage to either break out or
refuse to display when a hostile website puts it in a frame?
[snip]

There is "somewhat" of a solution using the php
$_SERVER['HTTP_REFERER'] superglobal. While, as the manual states,
some browsers ignore or manipulate this, it is nevertheless
statistically effective and certainly applicable to the situation you
describe. My workup doesn't satisfy your "ideal" solution but I think
it complies with your "ok" solution just fine. Using php sessions may
allow the goal to be even better satisfied, but I think sessions have
their own drawbacks.

The code should be obvious, but if it isn't, I will post my own
flavor upon request.

I would like to see an example.

I just can't think of a way to use referer with or without a session
to determine if a page has been framed or just an outside link.

Basically it's just a matter of determining "the" desired referer (-and no
other.)

if ($_SERVER['HTTP_REFERER'] && $_SERVER['HTTP_REFERER'] !==
"http://www.example.com/target_page.php" && $_SERVER['HTTP_REFERER'] !==
"http://www.example.com/owners_referring_page.php") {
header("location:http://www.example.com/target_page.php");
exit;
}

IF there is a referer AND it is not the target (same original) page AND it
is not the page on which the author (OP) has the link, it will redirect to
itself perpetually, disallowing a viewable, usable screen; in effect it's
blank. One probably could eliminate the middle condition (self), and, with
sessions to record instance-to-instance variables, perhaps a true "break-
out-and-show" method might be possible, I dunno.

--
Neredbojias
http://www.neredbojias.net/
Great sights and sounds