Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Twitter Clickjacking protection
Posted by: stonedyak
Date: October 06, 2009 10:06AM

Twitter uses the following code to prevent clickjacking:

<script type="text/javascript">
if (window.top !== window.self) {
document.write = ""; // 1
window.top.location = window.self.location; //2
setTimeout(function(){document.body.innerHTML='';},1); // 3
window.self.onload=function(evt){document.body.innerHTML='';}; //4

This uses four separate methods to prevent clickjacking, and there's some that I don't fully understand.

Method 1 overwrites the 'document.write' method, but I'm not sure what this prevents
Method 2 is the basic framebusting technique.
Method 3 deletes the content of the page to prevent it being clicked. This is needed in case the framing page uses some sort of anti-framebusting technique (e.g http://coderrr.wordpress.com/2009/02/13/preventing-frame-busting-and-click-jacking-ui-redressing/)
Method 4 deletes the content of the page once it has loaded - but I'm not sure why this is needed as well as method 3.

Does anyone have any ideas on why methods 1 and 4 are required?

Options: ReplyQuote

Sorry, only registered users may post in this forum.