Frame Busting

I read a detailed paper on how popular web sites perform frame busting. There are web site attacks like clickjacking where the site uses frames to trick users. The attack goes like this. The site uses a frame to make you think that you are running on the real web site. Instead you are seeing the real web site, but are on the hacker's frame. Web sites try to prevent this by detecting whether you are on their site, or in an unscrupulous frame.

The frame busting technique is normally some extra JavaScript on the real site to detect the frame problem. This technique is not normally used on every single page on a web site. It is seen on login screens. Hackers are trying to bypass the frame busting techniques. For example, when they enclose their site in double frames, the prevention sometimes fails. So how can you combat such frame hacks on the Internet?

Your code can check the domain name. But that can be tricked away as well. You can play some tricks with some overlay HTML elements. However those are not fool proof either. What you really need is some support from the browser. IE8 has defenses against clickjacking. So does Mozilla. But you have to employ these defenses in your code. You also have to have users with the right browsers to take advantage of it. The paper I read recommended that you do some HTML hacks of your own to hide content if your pages are found to be framed.