Browser extensions Security

How to Block Iframes, JavaScript & Redirections

Some websites have code to “break out” of IFRAME enclosures, meaning that if a page A is loaded as an IFRAME inside a parent page P some Javascript in A redirects the outer window to A.

Typically this Javascript looks something like this:

  if (top.location.href != self.location.href)
     top.location.href = self.location.href;

iFrame example

So how do we bypass it? Well that’s easy, there exist bunch of ‘helper’ utilities aka extensions for the Browser, in my list I list Firefox/Chrome addons which are worth to mention. Most of them working around the sandbox attribute.

But why is iFrame blocked by default?

Because it breaks too much stuff, while disabling scripts and blocking objects, combined with the anti-XSS protection (like within NoScript or ScriptSafe), actually prevents most of the IFRAME-based attacks you could imagine.


How Do I Stop Links From Redirecting Me to Different Sites?

Some browser redirects are harmless. Some are incredibly malicious. Protect yourself from phishing attempts and unwanted software downloads by preventing your browser from being redirected to a different site. Extensions like Undirect may help here but there also ways to prevent this directly with the Browser given settings. To prevent Chrome from being redirected to another site without your knowledge, click the “Customize and Control Google Chrome” button. The button has three horizontal lines on it. Click “Settings.” Click the “Show Advanced Settings” link to display more setting options. In the Privacy section, click “Enable Phishing and Malware Protection.” Close the browser window. Google now displays a warning if the browser is trying to redirect you. In Firefox, click the “Open Menu” button, which has three horizontal lines. Click the “Options” button in the panel that opens. Click the “Advanced” button and then the “General” tab. In the Accessibility section, check the “Warn Me When Websites Try to Redirect or Reload the Page” box. Click “OK.”

What about JavaScript?

JavaScript is important and it might break a lot of pages when you disable it completely. So work with exceptions and allow it to your needs on a per-domain basis. There also ways to work with multiple browser profiles and then you could surf with or without it, which would be depending on the profile. NoScript or uMatrix works best here and there more or less easy to understand and to use.

Since this topic is very huge I will try to here and then write about the specific mechanism, extensions and how to prevent certain things.

Stay tuned for more!