I've been investigating frame breaking code recently and have come across some really bizarre behavior related to the same origins policy that I am having trouble understanding.
Suppose I've got a page Breaker.html on domain A, and a page Container.html on domain B. The example frame breaker code would go into Breaker.html, like below:
if (top !== self) top.location.href = self.location.href;
This will successfully break Breaker.html out of Container.html, but I don't understand why it should. From my reading of the same origins policy, top.location shouldn't be accessible at all, since Container.html is on a different domain than Breaker.html. Even weirder, it appears that top.location write-only:
// Fails if Container.html is on a different domain than Breaker.html
alert(top.location);
This is problematic to me because I'm trying to write code that allows my page to be in an iframe, but only if it's on the same domain as its parent (or is on a configured allowable domain) . However, it seems to be impossible to determine this, since the same origins policy denies me access to the parent's location.
So I've got two questions, basically:
Why does the above frame breaker code work at all?
Is there any way to break frames conditionally, or is the only check one can do is whether top !== self? (In particular, I want to be able to read the domain, so that I can provide a list of allowable domains; simply checking whether I'm in the same domain or not would not be ideal.)
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
