Framebusting is a way to prevent clickjacking, which occurs when a malicious web site pulls a page originating from another domain into a frame and overlays it with a counterfeit page, allowing only portions of the original, or clickjacked, page (for example, a button) to display. When users click the button, they in fact are clicking a button on the clickjacked page, causing unexpected results.
For example, say your application is a web-based application that resides in DomainA, and a web site in DomainB clickjacks your page by creating a page with an IFrame that points to a page in your web application at DomainA. When the two pages are combined, the page from DomainB covers most of your page in the IFrame, and exposes only a button on your page that deletes all records in your web application. Users, not realizing they are actually in the web application, may click the button and inadvertently delete all records.
top.location.href = location.href;
In Server Manager, you can configure Security settings for the EnterpriseOne HTML Server to prevent framebusting in EnterpriseOne. The settings include:
The valid values for each setting are:
always. If the page is in an iframe, the page will take over the whole window.
differentDomain. (Default) If the page is in a iframe and the page and parent window are from different domain, the page will take over the whole window.
never. Even if a page is in a iframe, the page will never take over the whole window.
For more information about the configuration group settings for the EnterpriseOne HTML Server, see the "EnterpriseOne HTML Server" in the JD Edwards EnterpriseOne Tools Server Manager Guide.
If your application needs to use frames, you can set the parameter value to differentDomain. This setting causes framebusting to occur only if the frame is in a page that originates from a different domain than your application. This is the default setting.
For example, say you have a page named DomainApage1 in your application that uses a frame to include the page DomainApage2. Say the external DomainBpage1 tries to clickjack the page DomainApage1. The result would be the following window hierarchy: