« Hello, Dali | Main | Reading List: Freedom 7 »

Sunday, December 5, 2004

Fourmilab Framed!

A few days ago I received a feedback message complimenting me on Earth and Moon Viewer but wondering why I saw fit to include pornographic banner advertising on my site. Well, seeing as there is neither advertising nor pornography at this site, this occasioned some head scratching. My first guess was that the user's machine was infected with spyware/adware of some kind which caused the offensive material to pop up when navigating to various sites, and suggested the usual remedies.

After exchanging a couple more messages, I finally twigged as to what was going on. The user had not navigated to Earth and Moon Viewer directly, but rather had found it through a search engine--a particularly sleazy one. When the user clicks on a link in the results from a search, rather than taking the user directly to the destination site, it returns an HTML <frameset> defining a top frame into which it injects a banner advertisement and a bottom frame in which the destination site appears. The frameset specifies frameborder="0" which suppresses the border usually drawn between frames, so what the user sees appears for all the world like the destination site with a banner advertisement specified by (and the proceeds credited to) the search engine at the top.

How would you like your site to show up with somebody else's offensive advertising at the top? Well, I don't like it one bit, so here's what I did about it. First of all, in the Earth Viewer main page (the one they link to), I added:

    <base target="_top">
to the document header. This guarantees that when a user clicks any of the links in the page (assuming it doesn't specify its own "target="), the destination will replace the entire contents of the browser window, getting rid of the banner. This is stone standard HTML and should work in any frame-enabled browser, which is the only kind we need worry about.

This doesn't, however, keep the banner from appearing on the initial page the search engine linked to at your site. The only solution I could find for this involves JavaScript, but that's not as severe a restriction as you might think since many of these slimy sites don't work unless JavaScript is enabled, because they need it for their revenue generating pop-ups, pop-unders, etc., etc. so they don't allow users with JavaScript disabled access to the "content", such as it is. Anyway, I added the following JavaScript code right after the start of the document <body>:

    <script language="JavaScript">
    <!--
        if (top != self) {
            top.location.href = self.location.href;
        }   
    // -->
    </script>
What this does is test whether the current window (in the JavaScript sense, denoting a browser window or a sub-frame thereof) is the topmost browser window. If it isn't, we've been "framed" by another site--embedded in a frame surrounded by other content of unknown provenance. If so, we replace the URL of the top frame with our own. I have tested this with Firefox 1.0, Internet Explorer 6, and Netscape 4.7 and it works fine with each browser.

I am deliberately not identifying the offensive search engine because when I was experimenting with it, it attempted to pop up multiple advertisement windows, several of which appeared to try to install spyware/adware. I'm sure most readers of this site are well-protected against such attacks, but why put people unnecessarily at risk?

Posted at December 5, 2004 02:58