05 August 2009 ~ 17 Comments

BBCs hidden javascript framekiller!

I have been working on a project for a client the last months, a big portal for a british client. The portal delivers content from various sources, and is built in a frameset (please, the frameset discussion is off-topic!).

From quite early in the project my clients client reported some weird behaviour that we, no matter what, managed to reproduce.

The frameset is quite simple:

<frameset rows="100, *" frameborder="0" border="0">
<frame name="top" src="topp.html" marginwidth="0" marginheight="0" scrolling="auto" frameborder="0" border="0" />
<frame name="main" src="main.html" marginwidth="0" marginheight="0" scrolling="auto" frameborder="0" border="0" />
</frameset>

What happened was that links in “top”, which contains the menu, behaved like they had target=”_top” and not target=”main” as they actually had!

After weeks of discussions we arranged an online meetings with the client for them to show us and reproduce the issue, but no way – it couldn’t be reproduced.

Then they found a clue. It always happened after they visited the BBCs website! How strange isn’t that? Quite early in the process I understood that something, somehow, had changed the DOM on the clients browser. Which by the way was IE6.

So, finally we had somewhere to start digging. After endless code digging at bbc.co.uk’s site I finally found it. At news.bbc.co.uk they have a javascript for opening their webradio, and that little devil script is the root of all evil:

window.name="main";
function aodpopup(URL){
window.open(URL,'aod','width=693,height=525,toolbar=no,personalbar=no,location=no,directories=no,statusbar=no,menubar=no,status=no,resizable=yes,left=60,screenX=60,top=100,screenY=100');
}
if(location.search.substring(1)=="focuswin"){
	window.focus();
}

Do you notice that code on line 1? window.name=”main”; What the heck is that? Who writes this crap?

It causes the browser to imagine that it’s window name is main:

screenshot_bbc_frameset_killer

So, when I visit a new website after that – my local newspaper:

screenshot_bbc_frameset_killer_bt

The window.name is still main!

I am not sure if I am going to blame BBC or the browser vendors for this. Should one site take posession of the window.name property? Even secured, https, websites keeps the window.name value.

The solution and the lesson is, if you depend on window naming, make sure you control it by setting the window.name property explicit:

window.name="";

does your trick and saves you from headache.

17 Responses to “BBCs hidden javascript framekiller!”

  1. Kyle Simpson 17 August 2009 at 23:58 Permalink

    window.name “hijacking” as a transport is one of the several cross-domain Ajax hacks that sites will use. So, once again, we prove things can be used for good or for evil. Good catch though. Tough one to remember or track down.

  2. Amir 19 August 2009 at 08:58 Permalink

    I know the use of window.name for cross site scripting, but why the heck BBC needs to use it?

    Interesting post – thanks for sharing.
    Amir

  3. Carl 2 September 2009 at 10:48 Permalink

    I feel your pain!
    Excellent bit of sharing, i hope i remember it when needed. Did you contact the bbc guys?

  4. maksimer 5 September 2009 at 22:58 Permalink

    @Carl, yes – I have sent them an email, but probably I don’t have the right contact point. No response so far.

    Anyone know who should be contacted?

  5. Little Joe 2 October 2010 at 08:03 Permalink

    Good day, Will you be publishing a follow-up write-up?

  6. maksimer 4 October 2010 at 22:51 Permalink

    No plans for a follow up at this time. Got some BBC developers involved. Haven’t heard anything lately and I have not had the time to check it out.

  7. Robert 5 November 2010 at 18:21 Permalink

    Just read trough the post, thanks again. For the people who had problems viewing the page using google chrome clear your cache it will work then.

  8. brill 30 September 2011 at 11:29 Permalink

    I know this post is old now, but just checked the BBC site and it doesn’t appear to be setting the window.name property anymore.

  9. how to use restaurant pos system 7 February 2012 at 23:13 Permalink

    Whoah this weblog is magnificent i love reading your articles. Keep up the good work! You know, lots of people are hunting round for this information, you could help them greatly.

  10. Valerie Lansdell 25 July 2012 at 20:39 Permalink

    |I don’t generally interrupt brilliant discussions like this with inquiries, but I really need the help of whoever in a position to lend me a hand. I’m considering employing http://lawncaremaintenance.net/ and I wanted to ask if somebody here has employed them in past times. I am looking for both the bad and the good aspects of their business. Please get back to me as quickly as possible for this is really important.Thanks a lot.

  11. Correspondence Programs 10 July 2013 at 14:16 Permalink

    A lot of thanks for all your valuable hard work on this site. My mum takes pleasure in engaging in investigations and it’s really easy to understand why. A number of us notice all regarding the dynamic way you present efficient tactics on this website and therefore encourage contribution from other individuals on that content while our favorite princess is in fact studying a whole lot. Have fun with the rest of the year. You have been carrying out a tremendous job.

  12. soccer news transfers 18 July 2014 at 06:59 Permalink

    It’s the best time to make a few plans for the long run and it’s time to be happy.
    I’ve learn this post and if I may just I want to recommend you some attention-grabbing issues or suggestions.
    Maybe you could write subsequent articles regarding this article.
    I want to read even more issues approximately it!

  13. silk hanging baskets 27 January 2015 at 04:17 Permalink

    wonderful points altogether, you simply gained a brand neww
    reader. What mght you recommend in regards to
    your publish that you simply made some days ago? Any positive?

  14. Fletcher 31 January 2015 at 22:04 Permalink

    This article presents clear idea in support of the new users of blogging, that actually how to do blogging and
    site-building.

  15. baltimore SEO 2 August 2015 at 13:11 Permalink

    You might not have any idea what you want to say or you might not even have the time.
    Then they suggest tailor-made solutions to suit your requirements and budget.
    Whether you know it or not, there are a lot of different channels that you can explore
    to get more market share, but that doesn’t come without a little bit of
    work.

  16. baltimore SEO 2 August 2015 at 13:54 Permalink

    You might not have any idea what you want to say or you might not even have the time.

    Then, once published, promote them through your social media outlets to widen your audience.
    They think that a website is enough to increase leads.

  17. Dong Schlott 1 September 2015 at 05:02 Permalink

    I do not even know how I stopped up here, however I believed this put up used to be great. I don’t know who you might be however definitely you are going to a well-known blogger in the event you aren’t already 😉 Cheers!


Leave a Reply