« Oracle Open World 2009 Unconference: A day full of ADF content | Main | Secrets of ADF Region Interaction during OOW Unconference – Presentation Slot change »
Framebursting: A well documented by still unknown ADF Faces Feature
By frank.nimphius | September 24, 2009
Customers – internal and external – who try to run ADF Faces applications within a frame may experience problems if using JDeveloper 11g. The reason for this is click protection, which by default is enabled for ADF Faces applications and that should prevent your application from being wrapped by 3rd party sites. So in case “Framebursting” is nothing you are aware of, read on …
Fortunately, I can’t describe this feature better than our documentation team did it. So for this blog entry I leave it by quoting the product documentation (appendix A):
“Use the oracle.adf.view.rich.security.FRAME_BUSTING context parameter to use framebusting in your application. Framebusting is a way to prevent clickjacking, which occurs when a malicious web site pulls a page originating from another domain into a frame and overlays it with a counterfeit page, allowing only portions of the original, or clickjacked, page (for example, a button) to display. When the user clicks the button, they in fact are clicking a button on the clickjacked page, causing unexpected results.
For example, say your application is a web-based email application that resides in DomainA and a web site in DomainB clickjacks your page by creating a page with an IFrame that points to a page in your email application at DomainA. When the two pages are combined, the page from DomainB covers most of your page in the IFrame, and exposes only a button on your page that deletes all email for the account. The user, not knowing they are actually in the email application may click the button and inadvertently delete all their email.
Framebusting prevents clickjacking by using the following JavaScript to block the application’s pages from running in frames:
top.location.href = location.href;
If you configure your application to use framebusting by setting the parameter to always, then whenever a page tries to run in a frame, an alert is shown to the user that the page is being redirected, and then the above code is run, which causes it to be the topmost page, thereby disallowing the page to run in the frame.
If your application needs to use frames, you can set the parameter value to differentDomain. This setting causes framebusting to occur only if the frame is in a page that originates from a different domain than your application. This is the default setting.
Note:
The origin of a page is defined using the domain name, application layer protocol, and in most browsers, TCP port of the HTML document running the script. Pages are considered to originate from the same domain if and only if all these values are exactly the same.
For example, say you have a page named DomainApage1 in your application that uses a frame to include the page DomainApage2. Say the external DomainBpage1 tries to clickjack the page DomainApage1. The result would be the following window hierarchy:
DomainBpage1 –> DomainApage1 –> DomainApage2
If the application has framebusting set to be differentDomain, then the framework walks the parent window hierarchy to determine whether any ancestor windows originate from a different domain. Because DoaminBpage1 originates from a different domain, the framebusting JavaScript code will run for the DomainApage1 page, causing it to become the top-level window. And because DomainApage2 originates from the same domain as DomainApage1, it will be allowed to run in the frame.
Valid values are:
- always: The page will show an error and redirect whenever it attempts to run in a frame.
- differentDomain: The page will show an error and redirect only when it attempts to run in a frame on a page that originates in a different domain (the default).
- never: The page can run in any frame on any originating domain.
This context parameter is ignored and will behave as if it were set to never when either of the following context parameters is set to true:
- org.apache.myfaces.trinidad.util. ExternalContextUtils.isPortlet
- oracle.adf.view.rich.automation.ENABLED
“
As I mention, its a well documented feature, though an unknown to many who did not take the time to read our developers guide from the beginning to their very end 
Frank
Topics: ADF Faces RC, Security | No Comments »
Comments are closed.
