Posted under Code
Most of us have an interest in protecting our content from digital thieves, which, sadly, the internet is full of. There are any number of ways a person can steal content from your site; in this article we’ll look into frames. They generally fell out of favor shortly after being introduced, but while they’re used only in a minority of sites, they are still being used.
Google Images is an example, and an edge case. Clicking an image from the search results takes you to a frameset, with Google’s branding along the top of the browser window, and the page the image was found on below. This is permissible use, however; Google Images sends my photography site about 8,500 visitors per month.
There are three main ways to steal and republish visual content, be it an image, video, or other media:
- “Hot-link” it. I’ve already written an article showing how to disable hotlinking, but enable it for a white-list you maintain. This is particularly nasty in that it uses your bandwidth to transfer the file, but convenient in that your server logs will tell you exactly “where” it happened.
- Frame it. Using an inline frame, a site can display a resource from another site as if it were part of a page on the first site. Displaying your page inside of theirs gets the calling site free content to promote themselves with, and again uses your bandwidth. Further, this corrupts your statistics with unhelpful calls to particular pages of yours that some foreign server is using for its own means. This can be harder to find, because the referral data for elements on a page will show the page they’re normally associated with.
- Outright Steal It. Download the content, and then rebroadcast it from a different server. Unfortunately, this is by far the most difficult type of digital piracy to address. All browsers download images and scripts in order to display a page; this makes your server logs worthless as a starting point.
Point #1 has already been addressed, and has a side effect that makes #2 much easier. When an image ( or swf or other media ) is requested with no referrer, your server should be set to redirect to your home page. Unfortunately, this leaves #3, which is far more difficult to address, and the subject of a future post. This leaves #2: frames.
Like any other html element, a frame can be accessed through client-side scripting. The function below will break out of a frameset or inline frame, giving your page the full browser window, unless it’s Google Images. You can call this in the body’s onload event, in a script block that will run as the page loads, or, if you have a standard page load function - say to set your navigation system - call this function there:
function BreakFrames() {
if(parent.frames.length > 0 &&
parent.frames[0].location.host != "images.google.com“)
parent.location.href = window.location.href;
if(window != top)
top.location = window.location;
}
Rick on 17 Oct 2007 at 5:03 pm #
Re ‘Breaking out of frames’, I wonder if the code you offer indeed works for ‘inline’ frames. While ‘parent.frames.length’ will indicate the presence of a parent frame, including inline, due to the protection regarding cross-domain referencing, it does not seem possible to obtain the value of the location.host of the parent for the inline case, except in special instances.
When I install your code, as anticipated, the ‘parent.frames[0].location.host’ that is reported is that of the inline element rather than the parent.
Perhaps you can shed some additional light on this…
If this is true, then it does not seem possible to selectively bust out of an inline frame.
Thank you.
Forrest on 18 Oct 2007 at 9:24 pm #
I’ve tested it against iframes as well as framesets; that’s why there are two if blocks that seem to accomplish the same thing. First we look at parent.frames.length to see whether the current page is part of a frame set. Then it checks whether window == top to look for an iframe.
This code when saved as a web page
<html>
<body>
<siframe src=”test.html”></iframe>
<iframe src=”http://forrestcroce.com/Photos/Under-Talapus-Lake.html”></iframe>
</body>
</html>
“breaks out” of the inline frame and only displays the src in the full browser window.
Nishi on 04 Nov 2007 at 8:25 pm #
This explains all .
Thanks
» A Portrait of the Artist as a Young Man | Fine Art Photography Blog on 21 Dec 2007 at 7:59 am #
[…] his bare hands, his son lost sight and plummeted into the sea. Perhaps the labyrinthine artifice of writing code also relates to this myth? Our hero survived his son not because of his genius, but out of simple […]