Can someone tell me what the heck is going on with here?
In the image above the right pane is the display of my article at Newsblur (http://www.newsblur.com/site/1100897/ click to the “story” view) ; to the left is the same article as seen at my own site (http://rankexploits.com/musings/2012/newsblur-a-modest-proposal/) I use Firefox 14.1 for the mac (choice of browser seems to ‘matter’).
Notice that in the image on the left, the sidebar displays some rather stupid text in blue. This text is spit out using javascript and corresponds to “the referer”, “top.location” and “self.location”. Notice this stupid text does not appear in the right pane. One might be tempted to think that the answer is: “Javascript has been disabled for the framed pane” at Newsblur, but this is not so. The reason I know this is the redundant times posted on the page. Notice that it tells you it is 6:42 pm GMT and then tell you it is 18:52 PM. The first bit is created by php and is frozen when the page is cached (by SuperCache– I think.) The second time is created by javascript.
If javascript for my post was entirely disabled for the story the second time would not show.
Now, I have poked around here: http://www.newsblur.com/static/common.js?1345250291 where I among a few other things I noticed:
enable_iframe_buster_buster:function(){var a=this,b=0;window.onbeforeunload=function(){b++};clearInterval(this.locks.iframe_buster_buster);this.locks.iframe_buster_buster=setInterval(function(){0<b&&(b-=2,a.flags.iframe_story_locations_fetched&&!a.flags.iframe_view_not_busting&&_.contains(["page","story"],a.story_view)&&NEWSBLUR.reader.active_feed&&($(".NB-feed-frame").attr("src",""),window.top.location="/reader/buster",$(".task_view_feed").click()))},1)},disable_iframe_buster_buster:function(){clearInterval(this.locks.iframe_buster_buster)}
That said, I do think the Newsblur page may be doing something to interfere with the function of my javascript. My javascript skillzzzzz leave something to be desired, but the code above appears rather similar to a “framebuster code” discussed at stackoverflow.com:
<script type="text/javascript">
var prevent_bust = 0
window.onbeforeunload = function() { prevent_bust++ }
setInterval(function() {
if (prevent_bust > 0) {
prevent_bust -= 2
window.top.location = 'http://server-which-responds-with-204.com'
}
}, 1)
</script>
Another version of framebuster code is described here: here.
If that is a framebuster code, I’ll say this: It seems to be working. 🙂
I’d say more about what I think about the use of framebuster codes. (I think most of you can guess my opinion of this. I do think browsers need to be written to prevent this trick.) But for now, I’d be interested both in discussions of framebusting but more important, I invite those whose programming skillzzzzz exceed mine and who might interested to tell me why the blue text doesn’t show. I’m puzzled by that and I don’t want to read all that javascript! (Is it my code? What??)
Before ending: recall I said it seem to matter what browser I used. If I use safari, the view of this post in the “story” page is a blank screen. That’s what I think it ought to be in both cases because I included the following php before any text is printed: “header(‘X-Frame-Options: DENY’);”. I think this is supposed to prevent framing in most browser, but perhaps I misunderstand or I have inserted that incorrectly. But if I have deployed incorrectly, and you know how to tell, let me know.
Also I have found suggestions for implementing a “framebuster buster buster” getElementsByName. Although I am not ignoring Eli’s advice about DMCA (which was also suggested by a copyright attorney) I do also want to know how to prevent this sort of framing and/or interfering with my by other third parties who might do a similar thing in the future.
I know that if people have figured out framebusters and someone has started framing, it is only a short time before all sorts of other people start framing again. Ouch!
PS. I’m taking the cat to the vet now. Those who want to know why cats sometimes appear, I’ll explain when I get back.
Ooh. I didn’t try looking in the “Story” tab earlier because I thought it wouldn’t display anything. It turns out the Story and Original tabs views disabled when I’m logged into NewsBlur, but if I log out, both work. The key is when I’m logged in, I get sent to 590534, but when I’m logged out, I get sent to 1100897. Of course, I can manually navigate to either.
Anyway, the Original and Story views are apparently only disabled for the 590534. That also explains why you get two different visits from NewsBlur.
As for what’s going on, it appears the Story view is doing something to break your “frame buster.” Not only does the text on the right not show up, the warning message you added to the top is missing as well. Oddly enough, both are present in the Original view.
As for what’s going on, I’m afraid I’m a bit busy this afternoon, so it’ll be a little bit before I can check into things. However, if you want to render the issue irrelevant, you could just demand Clay disable both instances of your site.
Brandon–
I do both want to make things irrelevant and find out what the heck is going on with that framebuster/javascript buster. I am going to repeat my request that Clay stop copying etc. But I do want to know what sort of fiddling can be done because if Newsblur is doing it, someone else can and likely will.
Thanks for letting me know about the existence of 590534 in addition to 1100897.
lucia:
It’s not your code. You’re right about the part you excerpted; it’s a frame buster buster (remember, what you wrote is a frame buster so Clay’s using a frame buster buster). It’s a bit more complicated than the one in the link you gave, but it’s using the same basic idea.
I don’t understand why the frame buster buster would interfere with javascript writing the blue text while still writing the time.
On the extra page: I now know why “page fetcher” visits didn’t always result in 1100897 being updated.
This information just registered!!! Interesting that.
lucia, the reason is he made more than just a frame buster buster. Unfortunately, it will be a while before I can parse his code to figure out exactly what he did (and where). I hate Javascript, and that file is almost a megabyte of unformatted and undocumented code, so it could take some time. That said, I can at least diagnose the issue.
You see, he’s tricked you into thinking your Javascript worked for displaying the time. It didn’t. If you checked the source code for the frame, you’ll see this:
Look at the last line. In your code, it’s:
His code modifies your HTML to make it look like your script is displaying the time. In reality, he’s simply hard-coding the time into your HTML. This allows it to appear like he isn’t breaking all of your JS scripts (at least, I think he’s breaking all of them).
Hello!
I’m the guy that kicked off all this fuss by reading the blog via Newsblur.
Lucia, your javascript is failing in several places, for example:
var topWindow = String(top.location)
as unsafe javascript. Thats why the date shows (as it comes before), then the script bails. If you use chrome browser its great for seeing this kind of stuff, you go to developer tools, select scripts, then choose the page, scroll down and the errors are shown in red.
The framebuster-buster-buster worked!!! Now I have to tell the guy that wrote it.
Ok… so people can look at things, I’m going to undo the frame-buster-buster from http://www.phcityonweb.com/frame-buster-buster-buster-2426/comment-page-1#comment-3675
But…. it worked!!!
David–
Thanks! (Both for inadvertantly alerting me to the copying and for helping in this question.)
Obviously, I’m not a whiz at javascript. Two questions:
If var topWindow = String(top.location) causes things to fail so that I can’t document.write (topWindow), how come I can show that when the post is not framed?
Then…. is there a good way to compare the domains? I just wanted to do something that would work quickly. If I made topWindow into a string, I could break it on ‘/’ and then compare the domains. That seemed to work– and does except in Newsblurs frame of the posts. (It works fine in the frame of his copy of http://rankexploits.com/musings )
I can see errors in firefox too. Every single site seems to throw a million and a half of them. Mine throws fewer– and many don’t have anything to d with what I coded. So… not being a javascript coder…. (I can get chrome. Maybe their error messages are less cryptic. Firefox doesn’t tell me the line where the error happens, so I’m stuck with guess work.)
David, I’m afraid your explanation doesn’t make sense to me:
You claim to give a reason as to “why the date shows,” yet the source code I quoted from the framed view clearly shows that time has been hard-coded in NewsBlur’s version but not in lucia’s. That isn’t compatible with your explanation. If what you said about the script were true, the time would be displayed three times (once from PHP, once from JS, once from hard-coding).
Besides which, if “the script bails” when you say, it wouldn’t show lines using the variable declared in the line you say breaks it.
Lucia,
I use Firebug with Firefox. It displays code, variables and lets you step through. There is a version with Chrome too.
Why do you think I figured out I wasn’t going to figure out out?! 🙂
There is another odd puzzle about his .js code. (http://www.newsblur.com/static/common.js?1345250291) At the top it reads:
/*
jquery.layout 1.3.0 - Release Candidate 29.14
$Date: 2011-02-13 08:00:00 (Sun, 13 Feb 2011) $
$Rev: 302914 $
Copyright (c) 2010
Fabrizio Balliano (http://www.fabrizioballiano.net)
Kevin Dalman (http://allpro.net)
Dual licensed under the GPL (http://www.gnu.org/licenses/gpl.html)
and MIT (http://www.opensource.org/licenses/mit-license.php) licenses.
Changelog: http://layout.jquery-dev.net/changelog.cfm#1.3.0.rc29.13
Docs: http://layout.jquery-dev.net/documentation.html
Tips: http://layout.jquery-dev.net/tips.html
Help: http://groups.google.com/group/jquery-ui-layout
*/
(function(a,b){
So you would expect that if you found the code by Farbrizio Balliano, it the “quoted” code would look the same, n’est pas?
Well… look at
http://code.google.com/p/opera-svg-viewer/source/browse/trunk/scripts/jquery.layout.1.3.min.RC-29.14.js?spec=svn31&r=31
jquery.layout 1.3.0 - Release Candidate 29.14$Date: 2011-02-13 08:00:00 (Sun, 13 Feb 2011) $
$Rev: 302914 $
Copyright (c) 2010
Fabrizio Balliano (http://www.fabrizioballiano.net)
Kevin Dalman (http://allpro.net)
Dual licensed under the GPL (http://www.gnu.org/licenses/gpl.html)
and MIT (http://www.opensource.org/licenses/mit-license.php) licenses.
Changelog: http://layout.jquery-dev.net/changelog.cfm#1.3.0.rc29.13
Docs: http://layout.jquery-dev.net/documentation.html
Tips: http://layout.jquery-dev.net/tips.html
Help: http://groups.google.com/group/jquery-ui-layout
*/
(function(f){var C=f.browser;f.la
That’s of course just showing they don’t start out the same. But do a search for things like ‘iframe_buster_buster’ in Frabrizio’s code. Or
Fabrizio also includes things like carriage returns. It’s pretty dense, but at least there are some carriage returns. Imagine that.
lucia:
It really didn’t help that while I was checking things out, you added the frame buster buster buster. It took me a little while to figure out what had broke.
By the way, I don’t know if it’s related, but ever since you turned that on (the timing may be coincidental), I get a messed up version of at least one page. It’s weird because the Recent Comments section doesn’t show almost ten new comments, and the time it displays is:
The second time updates whenever I refresh the page, but the first one doesn’t. It seems the content of the page has become static while the scripts are still dynamic…?
Edit: Nevermind. I can’t figure out how to post the HTML code so my comment makes sense.
Brandon–
Sorry about that. I pulled the framebuster-buster out. But ti does work!
Nick —
Thanks for reminding me about firebug.
If you are only doing things at my site, I think what you are seeing is “SuperCache” a cache system for WordPress. Without a WP cache, WP creates a new page by pulling stuff out of the database every time you reload. But with SuperCache, it creates one only at certain times. These include: When someone posts a comment, or after the cache is considered “stale”. So, if you reload, the javascript will show the new time but the time pulled out by php will not reload.
Cloudflare also caches images– but WP doesn’t do that. That’s why teasing out what might happen can be a bit confusing.
The time in ( ) should be Javascript and so should be fresh.
Of topic, but interesting math and stats
Earth Syst. Dynam. Discuss., 3, 561-596, 2012
http://www.earth-syst-dynam-discuss.net/3/561/2012/
doi:10.5194/esdd-3-561-2012
© Author(s) 2012. This work is distributed
under the Creative Commons Attribution 3.0 License.
Polynomial cointegration tests of anthropogenic impact on global warming
M. Beenstock1, Y. Reingewertz1, and N. Paldor2
1Department of Economics, the Hebrew University of Jerusalem, Mount Scopus Campus, Jerusalem, Israel
2Fredy and Nadine Institute of Earth Sciences, the Hebrew University of Jerusalem, Edmond J. Safra campus, Givat Ram, Jerusalem, Israel
Abstract. We use statistical methods for nonstationary time series to test the anthropogenic interpretation of global warming (AGW), according to which an increase in atmospheric greenhouse gas concentrations raised global temperature in the 20th century. Specifically, the methodology of polynomial cointegration is used to test AGW since during the observation period (1880–2007) global temperature and solar irradiance are stationary in 1st differences whereas greenhouse gases and aerosol forcings are stationary in 2nd differences. We show that although these anthropogenic forcings share a common stochastic trend, this trend is empirically independent of the stochastic trend in temperature and solar irradiance. Therefore, greenhouse gas forcing, aerosols, solar irradiance and global temperature are not polynomially cointegrated. This implies that recent global warming is not statistically significantly related to anthropogenic forcing. On the other hand, we find that greenhouse gas forcing might have had a temporary effect on global temperature.
http://www.earth-syst-dynam-discuss.net/3/561/2012/esdd-3-561-2012.html
Ok… I get this:
[21:59:18.900] Error: Permission denied for <http://rankexploits.com> to call method Location.toString @ http://rankexploits.com/musings/2012/newsblur-a-modest-proposal/:7
So it seems that when my page is framed by another domain, I can’t call topWindow = String(top.location). In contrast the line I wrote is perfectly valid if my page is not framed, or if I frame the post at my domain (rankexploits) in a parent frame at rankexploits or when can be called when newsblur loads their copy of my post in their frame because then “child” and “parent” frames share a domain.
Ok… I understand why the blue was showing when not framed and why it was not showing when my stuff was framed at newsblur. Now I just need to figure out how to tweak the frame-buster-buster so it’s not going to cause problems over at google translate or when downloaded at people’s homes! The google translate may be the touchy part.
I’ve asked over at http://stackoverflow.com/questions/12056889/framebuster-with-exceptions
Brandon,
“You claim to give a reason as to “why the date shows,” yet the source code I quoted from the framed view clearly shows that time has been hard-coded in NewsBlur’s version but not in lucia’s. That isn’t compatible with your explanation.”
I suspect somehow that what you copied/pasted got mixed up. I did not save the original source (and it has changed now) but there was not a hardcoded “replacement” timestamp for the javascript “document.write” in the source from newsblur that I looked at. The script ran until it started manipulating stuff it didnt have permission to which was straight after it output the timestamp.
Lucia,
“I’ve asked over at http://stackoverflow.com/quest…..exceptions”
I liked this bit:
“I believe I have tracked the problem down to var topWindow = String(top.location) not being permitted in my child window”
Anyway, not being precious as a blog owner, I’ll give you a suggestion (have no idea if it will work though). You don’t need to create the topWindow variable, just use top.location.href directly, and split on that without a temporary variable.
On second thoughts that may not work anyway. What about with parent.location.href ?
David
Could you elaborate?
I know how to use top.location.href as a variable. I know that I could break out of many frames using top.location.href=self.location.href or something similar. There are all sorts of combinations of ‘top.location’ and ‘self.location’ that permit redirect provided you want to break out of every single possible frame.
But I want to make exceptions.
Specifically, I want to break out of newsblurs frame while still staying in a frame at translate.google.com frame whose “top” location will always contain “translate.google.com” but whose precise top.location.href will differ for everyone of my posts. I’d also like to stay in the google cache frame– but the translation frame is more important to me.
It’s the desire to stay in some frames while breaking out of the obnoxious to me ones that presents the challenge.
What about it? I know it exists. Other than that I don’t know what you are suggesting. I want a solution that works in both of the frames at newsblur and that permits me the exceptions. Merely knowing that parent.location.href exists is not enough information for me to know how to solve this.
I’m honestly asking a question here. If someone knows how to do this, I’d like the solution. But it’s going to be longer than “use variable blah”. Because i’m going to need guideance on how to use it.
“Could you elaborate?”
My suggestion is, instead of:
var topWindow = String(top.location)
var topWord=topWindow.split(“/”)
would:
var topWord = top.location.href.split(“/”)
not work instead ? It’s possible it wouldnt, it all depends on the security rules of given browsers. If that does not work, what about:
var topWord = parent.location.href.split(“/”)
I just tested in chrome neither works.
I just checked the newsblur site. When I go in with IE and click the “story” tab, I now get “This content cannot be displayed in a frame” for this page… but when I go in there with Opera, I get this page displayed in the frame for a few seconds, then it redirects the browser to this site.
David–
I found I couldn’t split top.location because top.location is not a string. So, you can’t do
topWord=top.location.split(“/”) I had to turn top.location into a string to split it.
I image top.location.href is also not a string.
FWIW: The reason using two lines where it seems only one is required is fiddling. At different times I was using document.write() to see if things held what I thought they held.
I’ve thought about fiddling endlessly, but in the end I thought asking at stackexchange might be wiser. There are lots of people who really know javascript there. Plus, if a solution evolves there plenty of people will know it.
Skeptical–
I suspect what you are seeing is different browsers responding differently to the header(‘X-Frame-Options: DENY’); directive.
So:
Safari: shows blank page.
Firefox: Does nothing.
Opera: “This content cannot be displayed in a frame”
IE “This content cannot be displayed in a frame”
I like Opera’s method best since it interferes with what the Framer is trying to do most. (If the framer doesn’t want things redirected he can change his html and stop framing a site that redirects!)
Obvious, I like Firefox least. Oddly I like the mystery blank page by Safari more than IE. After all, it makes it look like the guy trying to frame screwed up. But…. I suspect most people would prefer the IE message.
top.location.href is a string (which is why I originally thought it might work).
I don’t think there is any straightforward work around (at least in the general way that you want to be able to specify particular top level locations to exempt from the frame busting using javascript).
It’s amazing they seem to have added X-Frame-Options which is exactly what you would generally want in this kind of situation but were extremely limited in the variations possible.
David–
I may need to content myself with using .htaccess to ensure that the “story” view is always the article of me bitching about newsblur. (Well… unless you the spoof referrer!)
But really, I would prefer to bust those frames whenever possible. I’ll wait a little to see if someone at stackexchange has any idea. If they don’t, I’ll send another email telling newsblur to sort things out.
Notice that Brandon says he can see my “story” and “original” view if he’s not logged in. It may be that newsblur has a bug and the creator thinks that people need to be logged in. Requiring people to log in is rather a common features of “feed readers”. Maybe he just doesn’t realize that he’s posting copies right out there “in the wild” as it were. (Either way: there they are!)
BTW: I figured out the solution. Googling I discovered “try” and “catch”. Now I can distinguish the two cases and code accordingly without throwing an error. 🙂
I thought the problem you were attempting to solve was how to detect parent frame url so that you could take different actions based on that.
Yes. I admit to having only partly solved the problem because I can’t fix it so that select 3rd parties can frame things. But I do have it so:
1) translate.google.com can frame the way it does frame. (It frames a translated copy hosted at translate.google.com
2) people can down load and read that in a frame. (They make a copy in this case.)
3) If other than the chosen selections above has made a copy, and frames it I don’t frame that.
4) if someone tries to load something hosted at rankexploits.com in a not-rankexploits.com frame,they can’t.
Doing (4) doens’t screw up 1-3. Previously, I didn’t know how to do (4) without screwing up 1-3. Buy I figured it out.
Note that 1-3 all involve the parent and child sharing a domain. While in (4) they don’t. I can’t figure out how to for example forbid “evil.c0m” from framing “rankexploits.com” while permitting “good.c0m” framing that same window.
The reason “try{ }catch(err){ } works is precisely that in the “try” bit, I try to use “top.document.domain”. If the child and parent share a domain, I can us that without throwing an error. So, I do whatever I want to do when the child and parent match.
If the child is and parent do not have the same domain, this throws an error. As you noticed, errors stop javascript cold. So… But it turns out if you put it in a “try”, then it doesn’t stop javascript cold then it performs the “catch(err)” branch. In that branch, I darn well better try to do anythign with “top”. But I know that top is not defined. In this case, I just bust out of the frame.
(BTW: I also discovered that I was using my X-Forward headers too late. The mystery is why it sometimes worked. . But I kinda-like the javascript method!)