BBCs hidden javascript framekiller!
I have been working on a project for a client the last months, a big portal for a british client. The portal delivers content from various sources, and is built in a frameset (please, the frameset discussion is off-topic!).
From quite early in the project my clients client reported some weird behaviour that we, no matter what, managed to reproduce.
The frameset is quite simple:
<frameset rows="100, *" frameborder="0" border="0"> <frame name="top" src="topp.html" marginwidth="0" marginheight="0" scrolling="auto" frameborder="0" border="0" /> <frame name="main" src="main.html" marginwidth="0" marginheight="0" scrolling="auto" frameborder="0" border="0" /> </frameset>
What happened was that links in “top”, which contains the menu, behaved like they had target=”_top” and not target=”main” as they actually had!
After weeks of discussions we arranged an online meetings with the client for them to show us and reproduce the issue, but no way – it couldn’t be reproduced.
Then they found a clue. It always happened after they visited the BBCs website! How strange isn’t that? Quite early in the process I understood that something, somehow, had changed the DOM on the clients browser. Which by the way was IE6.
So, finally we had somewhere to start digging. After endless code digging at bbc.co.uk’s site I finally found it. At news.bbc.co.uk they have a javascript for opening their webradio, and that little devil script is the root of all evil:
window.name="main";
function aodpopup(URL){
window.open(URL,'aod','width=693,height=525,toolbar=no,personalbar=no,location=no,directories=no,statusbar=no,menubar=no,status=no,resizable=yes,left=60,screenX=60,top=100,screenY=100');
}
if(location.search.substring(1)=="focuswin"){
window.focus();
}
Do you notice that code on line 1? window.name=”main”; What the heck is that? Who writes this crap?
It causes the browser to imagine that it’s window name is main:
So, when I visit a new website after that – my local newspaper:
The window.name is still main!
I am not sure if I am going to blame BBC or the browser vendors for this. Should one site take posession of the window.name property? Even secured, https, websites keeps the window.name value.
The solution and the lesson is, if you depend on window naming, make sure you control it by setting the window.name property explicit:
window.name="";
does your trick and saves you from headache.
window.name “hijacking” as a transport is one of the several cross-domain Ajax hacks that sites will use. So, once again, we prove things can be used for good or for evil. Good catch though. Tough one to remember or track down.
Kyle Simpson
17 Aug 09 at 23:58
I know the use of window.name for cross site scripting, but why the heck BBC needs to use it?
Interesting post – thanks for sharing.
Amir
Amir
19 Aug 09 at 08:58
I feel your pain!
Excellent bit of sharing, i hope i remember it when needed. Did you contact the bbc guys?
Carl
2 Sep 09 at 10:48
@Carl, yes – I have sent them an email, but probably I don’t have the right contact point. No response so far.
Anyone know who should be contacted?
Nils-Fredrik G. Kaland
5 Sep 09 at 22:58