如何通过白名单防止 IFraming

发布于 2024-08-13 10:01:34 字数 183 浏览 8 评论 0原文

我正在创建一些 IFrameable 内容。我们希望用户能够通过 IFrame 访问此页面,但只能从一组域列表中进行。

有什么办法可以查看父页面的域名是什么?

if (top != self) { top.location.replace(self.location.href); }

I'm creating some IFrameable content. We want the user to be able to IFrame this page, but only from a set list of domains.

Is there anything that we can check to see what the domain name of the parent page is?

if (top != self) { top.location.replace(self.location.href); }

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

人海汹涌 2024-08-20 10:01:34

不,如果父页面不在您的安全上下文(同源策略)中,则该页面的位置不可见。您当然可以查看自己框架的 document.referrer ,但这并不完全防水...客户端的引用检查比服务器端的无用程度要小一些,但它仍然可以通过框架中的刷新转发器之类的东西来规避。

内容安全中的 frame-ancestors 限制政策有一天可能会允许这样做。

No, the location of the parent page is not visible if that page is not in your security context (Same Origin Policy). You can of course look at the document.referrer of your own frame, but this isn't totally waterproof... referrer-checking on the client side is marginally less useless than on the server-side, but it can still be circumvented by something like a refresh-forwarder in the frame.

The frame-ancestors restriction in Content Security Policy may one day allow this.

↘人皮目录ツ 2024-08-20 10:01:34

正如 bobince 所说,document.referrer 看起来是您最好的选择。您可以在 iFrame 的 src 页面中检查这一点。然而,HTTP 引用信息很容易被欺骗,因此这种方法不太安全。

本文展示了如何使用 PHP 来做到这一点: 如何绕过 REFERER 安全检查

As bobince said, document.referrer looks to be your best bet. You would check this in the page that would be the src of the iFrame. However, HTTP referer information can be easily spoofed so this method isn't very secure.

This article shows how to do it using PHP: How to bypass the REFERER security check

意中人 2024-08-20 10:01:34

我用它来检查页面是否是从白名单域加载的。我确信有办法解决这个问题,但它似乎有效。

var currentUrl = document.referrer;
var okayUrl = "http://good-domain.com";
var okayUrl2 = "http://another-good-domain.com";

//check if page is loaded in iframe
if ( window.location !== window.parent.location ) {
    //check if parent is a whitelisted domain
    if (currentUrl == okayUrl || currentUrl == okayUrl2)
    {
     //if it is a good domain, then just log the parent url or something
     console.log(currentUrl);
     } else {
     //if it is a bad domain, then do something about it
     alert ("Woah buddy. Can't touch this!");
     window.location = "http://en.wikipedia.org/wiki/Rickrolling";
   }
}

I'm using this to check if the page is loaded from whitelist domain. I'm sure there are ways around this, but it seems to work.

var currentUrl = document.referrer;
var okayUrl = "http://good-domain.com";
var okayUrl2 = "http://another-good-domain.com";

//check if page is loaded in iframe
if ( window.location !== window.parent.location ) {
    //check if parent is a whitelisted domain
    if (currentUrl == okayUrl || currentUrl == okayUrl2)
    {
     //if it is a good domain, then just log the parent url or something
     console.log(currentUrl);
     } else {
     //if it is a bad domain, then do something about it
     alert ("Woah buddy. Can't touch this!");
     window.location = "http://en.wikipedia.org/wiki/Rickrolling";
   }
}
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文