x-frame-option SAMEORIGIN and clickjacking in ASP.NET

Question

The application had problems with allowing to be loaded into iframe. I have read a lot about it (and clickjacking). As it is necessary to load a page into the iframe withing the same origin, I have come to the following solution:

Add the following to the global.asax file

HttpContext.Current.Response.AddHeader("x-frame-options", "SAMEORIGIN")

However, I know that not all browsers support this header. So, I want to add some additional javascript sollution. As I am not expert in javascript, I have found the following sollution:

<script>    
    if (self == top) {        
        var theBody = document.getElementsByTagName('body')[0]        
        theBody.style.display = "block"        
    } else {        
        top.location = self.location        
    }    
</script>

I know that it could be blocked if the one wants it very much, however, this makes some extra security.

My question is - 1) I do not understand the logic of this javascript code (can you give some comments about hte logic) 2) and if this works within SAMEORIGIN (allow iframe loading in the same page, but doesn't allo on other pages)?

edit:

I have found another approach that seems clear to me, however, I am not sure if this is more secure than above:

<style>html { visibility : hidden }</style>
<script>
    if (self == top ) {
        document.documentElement.style.visibility = 'visible';
    } else {
        top.location = self.location;
    }
</script>

Answer 1

self is the current page, and if it is equal to top which is the outermost framed page then the logic is that it isn't in a frame so everything is OK. If not, it sets the location of the outermost frame to be the current page (top.location = self.location;). This is known as "frame buster" code, but there have also been some published "frame buster buster" scripts that break attempts at stopping content being framed, so bear in mind that your JavaScript may not always work.

x-frame-options is the way to go, so if you've added that then you should be secure on modern browsers, but you could try this approach which will display a warning message if a site tries to stop your frame buster from working.