Some websites have code to “break out” of
IFRAME enclosures, meaning that if a page
A is loaded as an
IFRAME inside a parent page
A redirects the outer window to
if (top.location.href != self.location.href) top.location.href = self.location.href;
So how do we bypass it? Well that’s easy, there exist bunch of ‘helper’ utilities aka extensions for the Browser, in my list I list Firefox/Chrome addons which are worth to mention. Most of them working around the sandbox attribute.
But why is iFrame blocked by default?
Because it breaks too much stuff, while disabling scripts and blocking objects, combined with the anti-XSS protection (like within NoScript or ScriptSafe), actually prevents most of the IFRAME-based attacks you could imagine.
- Page Blocker
- Fix Url Links Redirect
- Remove Google Redirect in Google Results
- uMatrix / uBlock
How Do I Stop Links From Redirecting Me to Different Sites?
Some browser redirects are harmless. Some are incredibly malicious. Protect yourself from phishing attempts and unwanted software downloads by preventing your browser from being redirected to a different site. Extensions like Undirect may help here but there also ways to prevent this directly with the Browser given settings. To prevent Chrome from being redirected to another site without your knowledge, click the “Customize and Control Google Chrome” button. The button has three horizontal lines on it. Click “Settings.” Click the “Show Advanced Settings” link to display more setting options. In the Privacy section, click “Enable Phishing and Malware Protection.” Close the browser window. Google now displays a warning if the browser is trying to redirect you. In Firefox, click the “Open Menu” button, which has three horizontal lines. Click the “Options” button in the panel that opens. Click the “Advanced” button and then the “General” tab. In the Accessibility section, check the “Warn Me When Websites Try to Redirect or Reload the Page” box. Click “OK.”
Since this topic is very huge I will try to here and then write about the specific mechanism, extensions and how to prevent certain things.
Stay tuned for more!
- Play safely in sandboxed IFrames (html5rocks.com)
- URL Redirect: Breaking Out of an iFrame (help.surveygizmo.com)
- Unwanted redirect from iframe (aufart.net)
- Same-origin policy (developer.mozilla.org)
- Headers to block iframe loading (sjoerdlangkemper.nl)
- Upcoming Google Chrome security features will prevent malicious auto-redirects (9to5google.com)