How to prevent my ISP from putting every website in a frame?

Solution 1:

If the frame-busting code on Stack Exchange sites is working for you, then you could write a userscript to insert frame-busting code on every site. If you've never made a userscript before, here are some resources to get started:

  • http://www.chromium.org/developers/design-documents/user-scripts
  • http://www.webmonkey.com/2010/02/get_started_with_greasemonkey/

There's a good Stack Overflow thread on frame busting and frame-bust-buster-busting. You could theoretically take some of the code from the answers on the SO post and inject them into every page using a userscript.

Solution 2:

Vote with your wallet and don't use ISP that does this garbage.

If that's not possible, your next best bet would be to hide all the traffic from your ISP so that they can't see inside and consequently modify it. You can accomplish this by encrypting all/as much as possible of your traffic.

You can do that with browser addons like HTTPS Everywhere. It has a large list of websites to which this addon forces HTTPS connection. Also make sure your browser has SPDY protocol enabled. As part of SPDY spec, all connections are encrypted.

To go one step further, consider using some VPN service. That will make content of your traffic totally hidden to your ISP and will prevent such content modification.

Solution 3:

If your ISP is doing this by injecting JavaScript sourced from a specific domain, you could use a JavaScript blacklist extension to avoid running any JavaScript from that domain. (One of the public hotspots I connect to uses this approach.) However, if your ISP injects the entire script directly, then I don't think this will work.

Chrome: JavaScript Blacklist

Firefox: YesScript

You should also be able to use ad blocking extensions to block JavaScript. The most popular ones support custom filter lists, and it should be pretty easy to add an extra filter pattern to catch the framing code. If you're already running an ad blocker anyway, this might be the most sensible approach.

Solution 4:

Besides the frame busting trick, I would suggest getting the IPs of the servers that serve the framed pages and block them. If you are using China Telecom like me, they don't always frame the pages and, when they do so, a simple reload will give you the un-framed page. I guess they cannot frame everything since hijacking millions of connections per minute would bring down their resources quickly.

So what I ended up doing is to block all these IPs so I get a clean connection error when they try to mess with the current request. Then I know I can reload to get the real page. An added advantage of this method is that you don't send these servers any information, while for the frame-busting trick, the request still goes there (and given the crap they send back, I wouldn't trust them with the sensitive info that might end up in their logs).

For information here the IPs I've currently collected and blocked:

enter image description here