Entry
How can I make a page that belongs in a frameset appear only where it belongs?
Jun 3rd, 2002 20:02
Hal Pawluk, Adam Sheik,
Jamming Frames with JavaScript
We start with some generic code that remains constant and doesn't
need to be changed. This sets up the home frameset to deal with "naked"
pages that need to be jammed into a specific frame. There are two steps:
1. Cut-and-paste the entire following script into the head of the
home frameset page:
<script>
if (self != top) // anti-hijacking frame buster code, may be removed
top.location.replace(self.location);
function frameJammer_hp(){
var framedPage = location.search;
if (framedPage.length > 1 && framedPage.indexOf("://") == -1){
framedPage = framedPage.substring(1);
var theSplit = framedPage.indexOf('~');
var thePage = framedPage.substring(0,theSplit);
var theFrame = framedPage.substring(theSplit+1);
eval("top."+ theFrame+".location.replace('"+ thePage+"')");
}
}
// optional special handling for IE < 4/Mac
// if you don't care, just delete the following
var agt = navigator.userAgent.toLowerCase();
var is_major = parseInt(navigator.appVersion);
var is_iemacdud = (agt.indexOf('msie')!=-1) && (agt.indexOf('mac')!=-1) &
& (is_major<4);
if (is_iemacdud) setTimeout('frameJammer_hp()',1500);
</script>
2. Call the function in the frameset tag of the home frameset page:
<frameset ... onLoad="frameJammer_hp()">
Now use the following script in the head of each page you want to
appear in a specfic frame of the frameset. In this example, the page
being frameJammed is in a subdirectory below the directory containing the
frameset page. ***This is a modification because the previous version
would not allow you to print the frame content in Netscape.
<script>
if (window.name!='framename'
&& !((self.innerHeight == 0) && (self.innerWidth == 0)))
top.location.replace('../framesetpage.htm?'+ location.href +
'~framename');
</script>
Substitute your own names for 'framesetpage' and 'framename'. Note
that you need to include the path to the frameset ("../framesetpage.htm")
from the page in which this code is used. This line of code was improved
and simplified by using "location.href" instead of the page name, thanks
to Adam Sheik. Note, however, that 'location.href' does not work with
Netscape 4.08 FWIW and if that bothers you, you should use the name of
the page, including the path from 'framesetpage.htm'.
Testing for the name of the frame is an anti-hijacking measure, too. If
the page is in the wrong frame, it will find its parent frameset and
position itself where it belongs. Substitute the name of your own frame
for "framename" but don't use standard names that might be in other
framesets like "main" and "content" (try "main_hp" or "hp_content" using
your own initials).
Note that this is also available as a Dreamweaver extension on my
site at http://www.pawluk.com/public/. Just mouseover the frameJammer
flyout menu and select 'download'.
CHANGE June 2002: An alert webmaster spotted a way to insert pages from
a foreign domain into a frameset that uses the old code provided here.
Using a link to the frameset like:
http://www.mydomain.com/frames.htm?http://www.rogue.com/
rogue.htm?whichframe
would open "http://www.mydomain.com/frames.htm" with "http://
www.rogue.com/rogue.htm" in the "whichframe" frame, rather than the page
I wanted there. The rogue could also use the ftp://, file:// or https://
protocols.
There is no change to the frameset, and it's only the presentation that
gets messed up when a visitor arrives from the "rogue" site. However,
the rogue page could also access any functions in the frameset, and if
these read cookies or generate data, the rogue page could capture that.
I've never heard of this happening (rogues certainly wouldn't tell me).
I've made the fix above, changing the original:
if (framedPage.length > 1) == -1){
to:
if (framedPage.length > 1 && framedPage.indexOf("://") == -1){
Hal http://www.pawluk.com/public/
