There is always, unfortunately a way to get round frame killers, because of the way they work. (The site that is being framed can usually, however, display a warning).
See Jeff Atwood's "disturbing revelation".
A few choice excerpt:
If an evil website decides it's going
to frame your website, you will be
framed. Period. Frame-busting is
nothing more than a false sense of
security; it doesn't work.
Frame busting code (from the linked Stack Overflow challenge):
<script type="text/javascript">
var prevent_bust = 0
window.onbeforeunload = function() { prevent_bust++ }
setInterval(function() {
if (prevent_bust > 0) {
prevent_bust -= 2
window.top.location = 'http://server-which-responds-with-204.com'
}
}, 1)
</script>
This code does the following:
increments a counter every time the
browser attempts to navigate away
from the current page, via the
window.onbeforeonload event handler
sets up a timer that fires every
millisecond via setInterval(), and if
it sees the counter incremented,
changes the current location to a
server of the attacker's control
that server serves up a page with
HTTP status code 204, which does not
cause the browser to navigate
anywhere
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
