Facebook's Anti-Clickjacking Techniques
Facebook uses a frame breaker to help mitigate clickjacking: X-Frame-Options with "deny". They send off analytics in the process.
<script type="text/javascript">
/* <![CDATA[ */
if (top != self) {
try {
if (parent != top) {
throw 1;
}
} catch (e) {
setTimeout(function() {
var fb_cj_img = new Image();
fb_cj_img.src = "http:\/\/error.facebook.com\/common\/scribe_endpoint.php?c=si_clickjacking&m&t=";
}, 5000);
window.document.write("<style>body * { display:none !important; }<\/style><a href=\"#\" onclick=\"top.location.href=window.location.href\" style=\"display: block !important; padding: 10px\"><i class=\"img spritemap_3e9q9m sx_5eabfc\" style=\"display:block !important\"><\/i>Go to Facebook.com<\/a>");
}
}
/* ]]> */
</script>They also specify X-Frame-Options in a meta tag. The value deny is to block the content from rendering if it is contained in a frame.
<noscript><meta http-equiv="X-Frame-Options" content="deny"/></noscript>
2 comments
if I had full access to the dom how could I disable this using a script of my own? I ask because im trying to create automation software in Titanium but I have to use iframes. with titanium I have full access to cross site dom but this frame breaker is stopping me from doing anything because it takes over my app window.
take a look at
window.onbeforeunloadand sending a 204 headerLeave a Reply