Facebook's Anti-Clickjacking Techniques


Facebook uses a frame breaker to help mitigate clickjacking: X-Frame-Options with "deny". They send off analytics in the process.

<script type="text/javascript"> /* <![CDATA[ */ if (top != self) {     try {         if (parent != top) {             throw 1;         }     } catch (e) {         setTimeout(function() {             var fb_cj_img = new Image();             fb_cj_img.src = "http:\/\/error.facebook.com\/common\/scribe_endpoint.php?c=si_clickjacking&m&t=";         }, 5000);         window.document.write("<style>body * { display:none !important; }<\/style><a href=\"#\" onclick=\"top.location.href=window.location.href\" style=\"display: block !important; padding: 10px\"><i class=\"img spritemap_3e9q9m sx_5eabfc\" style=\"display:block !important\"><\/i>Go to Facebook.com<\/a>");     } } /* ]]> */ </script>

They also specify X-Frame-Options in a meta tag. The value deny is to block the content from rendering if it is contained in a frame.

<noscript><meta http-equiv="X-Frame-Options" content="deny"/></noscript>
Posted . Did this help you? Please let me know with a comment. Thank you

Comments (RSS)

  1. anonymous

    if I had full access to the dom how could I disable this using a script of my own? I ask because im trying to create automation software in Titanium but I have to use iframes. with titanium I have full access to cross site dom but this frame breaker is stopping me from doing anything because it takes over my app window.

  2. anonymous

    take a look at window.onbeforeunload and sending a 204 header