How to Prevent iFrame Breakaway

Few days ago I was searching for a solution to the problem I’ve encountered – I needed to prevent a third party page to break out of iframe inside a web page of my web application. For people who are not closely familiar with JavaScript, the following JS snippet will make it more clear how page can break out of iframe:

if (top.location.href != self.location.href)  {
    top.location.href = self.location.href;
}

If the current page is not the parent window – become the parent window.

I needed to implement something on my end, that would block or prevent the above script or similar to it from executing. I’ve spent several hours browsing the Net, talking to people on IRC and simply playing trial and error.

After some time, I understood that I wont be able to find a solution to my problem, simply because there is none unfortunately. But, having said that, I have some findings to share:

  1. There is iframe security attribute which only works on IE. Setting this attribute to security=”restricted”, will prevent iframe to break out. Its always “nice” to see that MS have few tricks up their sleeve :). Also, on one of the forums, someone mentioned that the same attribute will work under Opera as well as under IE. I personally haven’t tested it my self under Opera, I can just say that it works for IE and not FF.
  2. To make use of window.onbeforeunload event and prompt user with a dialog that requires user’s input if he agrees to navigate away from the current page. If user disagrees (clicks “cancel”), he will remain on the current page. So here in a sense iframe breakaway was canceled. By the way, there is no way to suppress the dialog prompt and make event from clicking “cancel” default.
  3. To grab the content of third party page using PHP Curl lib and to create your own placeholder page for that content. Then the placeholder page can be put inside iframe. The page or the grabbed content will not attempt to breakout, but any request submitted to the placeholder page (hyper link or button click on the grabbed content) will cause page to unload.

Also, while researching, I came across this post that talks about preventing iframe breakaway and click jacking with the help of 204 header response code.

After all that, my conclusion is:
If the page inside iframe is not yours, in other words it is a page hosted under another domain, its not possible actually to stop a page from unloading. Having something like that, would allow malicious sites to “trap” a user indefinitely.

I would love to hear any other suggestions regarding iframe breakout you may have dear readers.

Cheers

Export to PDF using iText and Flying Saucer

In my previous post I attempted to generate PDF on the fly using iText library. My goal was to parse HTML snippet into PDF. Unfortunately, as I discovered iText alone is not powerful enough as HTML parser. iText is not flexible enough to manipulate the CSS. Its understandable, since iText‘s main functionality is PDF generation and not HTML parsing.

While trying to find workaround iText limitations, I came across Flying Saucer Java library. Flying Saucer is XML/XHTML/CSS 2.1 renderer, that uses iText and allows to render CSS stylesheets and XHTML, either static or generated, directly to PDFs.

I want to say that Flying Saucer does a beautiful job. You can check this out by trying to export current post to PDF :)

Joshua Marinacci, the Flying Saucer project lead wrote a nice tutorial that explains how to generate PDF using Flying Saucer.

Export to PDF Using iText Java-PDF Library

I had some time during this weekend, so I used iText, free Java-PDF library to make a plug in for Pebble blogging software. This plug in now allows to export blog entries to PDF document.

I liked this library, except one thing – converting HTML snippets to PDF. The library allows you to set styles to HTML tags during export.

The conversion is done with the help of HTMLWorker class. It is also possible to assign different styles to tags supported by HTMLWorker:

ol ul li a pre font span br p div body table td th tr i b u sub sup em
strong s strike h1 h2 h3 h4 h5 h6 img

Unfortunately there isn’t much documentation on what you can do for styles. So after poking through the source code, and going through iText mailing lists for examples, my results were a bit disappointing.

The PDF export works fine, except the case when blog entry has images. In that case, images exported to PDF having text overlaying on top of them.

I am hoping, that some of the people who had done a lot of work in the past using iText, will be able to share their experience.

Recent update:
In my later post, I talk about Flying Saucer Java library, which is XML/XHTML/CSS 2.1 renderer, that uses iText and allows to render CSS stylesheets and XHTML, either static or generated, directly to PDFs.

Hibernate Event Interceptor

Its quite common when you create an application, there is a need to create an audit trail on the application level where all entity insert, update and delete events are logged.

In this post, I would like to describe a simple approach that can help you to avoid littering with unnecessary statements in your application code. The solution is to register a class as a listener on Hibernate events. Once class is triggered, you will be able to write audit information to a database or log file.

The following shows a Hibernate event interceptor class that is triggered when persistent entity is inserted, deleted or updated.

public class HibernateEventInterceptor	implements	PostInsertEventListener,
							PostUpdateEventListener,
							PostDeleteEventListener,
							Initializable {

	public HibernateEventInterceptor() {

	}

	public void initialize(Configuration cfg) {

	}

	public void onPostInsert(PostInsertEvent event) {
		String entityName = event.getPersister().getEntityName();
		System.out.println("Inserted entity: " + entityName);
	}

	public void onPostUpdate(PostUpdateEvent event) {
		String entityName = event.getPersister().getEntityName();
		System.out.println("Updated entity: " + entityName);
	}

	public void onPostDelete(PostDeleteEvent event) {
		String entityName = event.getPersister().getEntityName();
		System.out.println("Deleted entity: " + entityName);
	}
}

The following shows extra configuration that must be added to persistence.xml, in order for the interceptor class to be triggered:

<persistence>
	<persistence-unit name="org.example.demo">
	<jta-data-source>java:/test</jta-data-source>
		<properties>
			.
			.
			.
		<property name="hibernate.ejb.event.post-insert" value="org.example.demo.HibernateEventInterceptor"/>
		<property name="hibernate.ejb.event.post-update" value="org.example.demo.HibernateEventInterceptor"/>
		<property name="hibernate.ejb.event.post-delete" value="org.example.demo.HibernateEventInterceptor"/>
		</properties>
	</persistence-unit>
</persistence>