JS security won't let you identify pages from other sites (unless you use version 3 browsers). Can you check the 'referrer' to see what the site is? Or, if the enclosing site is friendly, you could get them to add a parameter to the frame url.

I'm not sure if the referrer shows up in the server variables when our page is loaded in a frame. Unfortunately, I can't experiment without disrupting important pages on our website.

You might find this interesting...

What's happening is that our site is being opened within a full-screen frame, which belongs to a pornography site. The frameset is filled with XXX-related key words and hidden text describing fetishist and descriptions of an adult nature.

Javascript is being used on their pages to show a different frame SRC depending whether the referrer is a search engine (from a list of well-known domains) or something else... when the referrer is a search engine, it shows our site in this full-screen frame. When the referrer is something else, it shows a page full of smut.

I believe it's a tactic to draw links to pornography, using our site and its well-placed Search Engine results "bait". Our site isn't the only one being targeted this way - I have found other pages that are similarly being used as fronts for entry pages to this pornography scheme.

I would never have even noticed this, if they hadn't accidentally made a broken link - which showed up in our server logs as 404 errors. I checked them out and was surprised to see our site being manipulated in this way.

I've put in a classic "break out of frames" script, which effectively takes over when this happens. But I'd still like to find effective defensive action against maliciou use of our site using frames.

The reason I'm looking for a "way around" Javascript security is I'd like to be able to find all these pages that are using our site as "bait".

I have an effective script (in PHP) that sends me an e-mail when our site is opened in a frame. However I am unable to identify the 'location.href' or any other information about the parent frame - all I can do is detect (!window.top=self) ... the parent frame has to be detected on the client end, from within our own domain.

Any advice is welcome! thanks

Are you in a position to compare the timestamp from the email with the timestamps in the server log to find out what the referring URL is, then block that referring URL with .htaccess? :)

[edit]Forget it. I was being dumb.[/edit]

hmm... miki, that's an interesting idea! A lot of work, depending on how many of these fake doorway pages there are. Over one weekend, our site was opened in a frame 1,080 times. If I don't find a more automated solution, I'll try poking around in the logs to see if there are any obvious patterns.

One immediate question: is a parent frame treated as a "referrer"? Is it detected as such?

Yes, the parent frame is treated as "Referer". Just use ieHTTPheaders, only if you have XP, at to see for yourself.

Out of curiosity, I created a frameset on localhost pointing to a website of mine. The javascript on the website did indeed show localhost as the referrer.