How to prevent iframe clickjacking attacks using javascript in cross domain?

How to prevent iframe clickjacking attacks using javascript in cross domain? how to prevent csrf attacks? what are csrf attacks? How to prevent clickjacking attacks?

Few days back one of my website was  down for 2 hours and I realized that it was an attack using iframes.Somebody attacked my website and sent spam traffic continuously by loading millions of frames in their sites.After analysis of  what is the actual problem, I decided to block my site whenever somebody loads my site into iframe, but  sometimes I am getting genuine traffic from iframes.So it became harder for me to decide whether I should allow iframe  or not.Then I  decided to write a script which allows to load specific number of iframes, and if someone tries  to load more than specified number of iframes, that page will be redirected to our domain automatically.


so here that code:


<script type=”text/javascript”>

function checkIframe( ifr )


try {

var global = ifr.document.location.href;

return global;


catch( e ) {

return false;



var frameslength = top.window.frames.length;

var iframes = top.window.frames;

if (top!=self){

var modifyindex = 0;

for(var i=0;i<frameslength;i++)


var result = checkIframe(iframes[i]);







modifyindex = i;




var firstframe = top.window.frames[modifyindex];

if(firstframe.framecount==null || firstframe.framecount==””)




var tempfcount = parseInt(firstframe.framecount);



firstframe.framecount = parseInt(firstframe.framecount)+1;












lets consider our domain as and the one who is loading our site in iframes is

In order to redirect to our domain after specified number of iframes loading, we need to count the number of iframes loaded in

For that we need to store and increment a variable each and every time when a new’s iframe is loaded.But by the same- origin – policy we cannot manipulate ‘s variables.For that I have some alternative. same – origin – policy we can’t manupulate domain) but we can access and modify same domain variables (here ‘s variables).

We already know html provides 3 object references of iframe

self – current iframe object reference.

parent – parent of current iframe object.

top – the object reference of the very first page or top page (we can say).

I want to create  variable called framecount in the very first iframe which contains our domain( whenever another iframe of our domain( is loaded i will increment this frame count.

When this framecount reaches I will redirect to our domain(

In the above code

frameslength = total number of iframes in the

iframes =  object of total iframes objects.

top = reference (html provides this)

self = reference (html provides this)

modifyindex = temporary variable to store our first iframe index which contains our domain.

checkIframe = is a function to check whether passed iframe is accessible or not, if accessible it will be considered as our iframe

to avoid the cross – origin – policy.

returns false if iframe is not accessible.

firstframe = is the object of our first loaded iframe.


framecount =  total number of iframes which contains our domain.


Here I am just comparing both top window and self window,
if it results true it means the loading window is not iframe
else it means the loading window is an iframe.

Then i am checking for the first iframe which loads our domain in using for loop.

when it finds, I am assigning its index to modifyindex variable and, then i am assigning its object to firstiframe variable using modifyindex variable.

using this object I’m creating framecount variable if not exists, else i am incrementing.

when  firstframe.framecount reaches specified number i am redirecting top frame to our domain.

Iframes screenshot


Iframe redirected domain

Hope you got a clear Idea about the topic, please comment for more information and clarifications.

Leave a Reply

Your email address will not be published. Required fields are marked *