I use this Javascript Code, and it works perfectly:
if (top.location != location) top.location.href = location.href
Many researchers told me to not use this.
Can any one bypass it?
Are there any risks in using this,if yes what?
One of them told me that an attacker can redefine location variable:
var location = 'foo';
But in Google Chrome, this doesn't seems to work
You are talking about ClickJacking attacks. (The title was different before my edit)
Can any one bypass it?
Yes, this can be bypassed when loading the page in an iframe. Unfortunately I do not have the code at the moment. However, what can be done is disable javascript while loading the iframe. This will bypass your frame busting code. (There's no such thing as frame busting code in my humble opinion)
Is it neccessary to use X-FRAME-OPTIONS to prevent ClickJacking attacks?
For newer browsers it is the standard to prevent ClickJacking attacks. I do not see a reason not to use it, as it is quite simple to add the extra header for each response.
One of them told me that an attacker can redefine the location variable:
var location = 'foo';
As not all code is displayed, it's hard to say if this is exploitable or not. The only thing I can see from this one line of code is that the attacker could attack his own browser by modifying the variable location, which is useless.
Can any one bypass it?
Yes. This can be one with the sandbox attribute. With this attribute execution of Javascript within the iframe can be disabled and thus your frame buster code will not be executed. Also, some clients might have execution of Javascript disabled like when using the NoScript browser extension.
For more information see https://en.wikipedia.org/wiki/Framekiller and for a scientific comparison of frame busting methods and how they can be made to fail see http://crypto.stanford.edu/~dabo/pubs/papers/framebust.pdf.
