Twitter's Frame Breaker To Stop Clickjacking
Twitter uses a frame breaker to help mitigate clickjacking. Interesting implementation:
if (window.top !== window.self) {
document.write = '';
window.top.location = window.self.location;
setTimeout(function() {
document.body.innerHTML = '';
},
1);
window.self.onload = function(evt) {
document.body.innerHTML = '';
};
}
if top window is not this window {
render the page starting here
refresh the page making me the top window to break out of any frames
remove page content (html including graphics, buttons, etc)
when window loads, again remove page content
}
NOTE: i think they meant document.write('');
Comments
Leave a Reply