[ Team LiB ] Previous Section Next Section

7.5 Avoiding Being "Framed" by Another Site

NN 2, IE 3

7.5.1 Problem

You want to prevent your site from appearing within another site's frameset.

7.5.2 Solution

Include the following script statements at the very top of a script appearing in the head portion of the document:

if (top != self) {
    top.location.href = location.href;
}

If you are using a frameset, include this script only in the framesetting document's script, and not in the documents that appear in the frames.

7.5.3 Discussion

The act of framing someone else's site is less prevalent than it was some years ago, but it can still happen. Sometimes it occurs innocently enough, when another site includes a pointer to your site but the link is part of a frameset navigation system, where all link destinations are loaded into a content frame of the site. Whether you are concerned that your site appears in a frame of someone else's site is a personal issue. A corporate site usually desires control of the user's experience at the site, and doesn't wish to have someone else's banner advertising appear in the same browser window as its own pages. Also, being in someone else's frameset makes it less likely that the visitor will correctly bookmark your site. Not all users—especially non-technical casual web surfers—know that the browser's contextual menu includes an option to bookmark just one frame.

The script in this recipe compares the current window object against whatever window object is reflected by the top window reference. A window object has four different ways to be referenced: window, self, parent, and top. There is no difference between window and self: they always refer to the current window regardless of the window's relationship among frames and framesets. Sometimes, as in this case, using self is more descriptive when you read the script. When the browser window contains no framesets, the current window object is also the parent and top object. If that condition isn't met when the page with the script shown in the Solution loads, the frameset gets replaced by the page running the script.

Because the unknown outer frame is undoubtedly originating from another domain and server, you cannot dig too deeply into the details of the top window, such as its URL. Security restrictions prevent that. But comparing the window object references does not violate the same origin policy.

7.5.4 See Also

Recipe 7.6 for a way to guarantee that a URL to one of your framed documents loads in its frameset.

    [ Team LiB ] Previous Section Next Section