Framebusting

Framebusting is a way to prevent clickjacking, which occurs when a malicious web site pulls a page originating from another domain into a frame and overlays it with a counterfeit page, allowing only portions of the original, or clickjacked, page (for example, a button) to display. When users click the button, they in fact are clicking a button on the clickjacked page, causing unexpected results.

For example, say your application is a web-based application that resides in DomainA, and a web site in DomainB clickjacks your page by creating a page with an IFrame that points to a page in your web application at DomainA. When the two pages are combined, the page from DomainB covers most of your page in the IFrame, and exposes only a button on your page that deletes all records in your web application. Users, not realizing they are actually in the web application, may click the button and inadvertently delete all records.

Framebusting prevents clickjacking by using the following JavaScript to block the application's pages from running in frames:

top.location.href = location.href;

In Server Manager, you can configure Security settings for the EnterpriseOne HTML Server to prevent framebusting in EnterpriseOne. The settings include:

  • frameBustingForLogin

  • frameBustingForE1Menu

  • frameBustingForApp

The valid values for each setting are:

  • always. If the page is in an iframe, the page will take over the whole window.

  • differentDomain. (Default) If the page is in a iframe and the page and parent window are from different domain, the page will take over the whole window.

  • never. Even if a page is in a iframe, the page will never take over the whole window.

For more information about the configuration group settings for the EnterpriseOne HTML Server, see the "EnterpriseOne HTML Server" in the JD Edwards EnterpriseOne Tools Server Manager Guide.

If you configure your application to use framebusting by setting the parameter to always, then whenever a page tries to run in a frame, the JavaScript code is run to define the page as topmost, and the page is disallowed to run in the frame.

If your application needs to use frames, you can set the parameter value to differentDomain. This setting causes framebusting to occur only if the frame is in a page that originates from a different domain than your application. This is the default setting.

Note: The origin of a page is defined using the domain name, application layer protocol, and in most browsers, TCP port of the HTML document running the script. Pages are considered to originate from the same domain if and only if all these values are exactly the same.

For example, say you have a page named DomainApage1 in your application that uses a frame to include the page DomainApage2. Say the external DomainBpage1 tries to clickjack the page DomainApage1. The result would be the following window hierarchy:

  • DomainBpage1

    DomainApage1

    DomainApage2

If the application has framebusting set to be differentDomain, then the framework walks the parent window hierarchy to determine whether any ancestor windows originate from a different domain. Because DoaminBpage1 originates from a different domain, the framebusting JavaScript code will run for the DomainApage1 page, causing it to become the top-level window. And because DomainApage2 originates from the same domain as DomainApage1, it will be allowed to run in the frame.