框架仅跨域中断,但不适用于来自同一来源的 iframe?
这个问题以前是询问并回答正确,但似乎没有发布解决方案。
如果一个站点有 iframe,并且想要防止它们被包含在来自不同域的框架中,那么简单的框架破坏将没有用:
<script>if (top != self) top.location = location</script>
但是,由于到其他域的跨框架脚本应该生成异常,所以看起来像这样要在 iframe 内正常工作:
<script>
try {
if (window.document.domain != top.document.domain) { // throws exception
throw "You naughty puppy!"; // Should not ever get here, right?
}
}
catch () {
top.location = "/error/naughtypuppy";
}
</script>
上面的 if 本身就足以防止 iframe 的跨域框架。它应该只返回 false 或抛出异常,那么脚本是否可以到达浏览器中的 throw 语句?
这足以防止仅来自其他域的框架吗?
<script>
try {
var bogus = top.document.domain;
}
catch () {
top.location = "/error/naughtypuppy";
}
</script>
编辑:这里暗示了一种类似的解决方案,但不会依赖父框架来包含框架破坏代码。 检测 iframe 何时跨域,然后崩溃出来了。本质上与“尝试访问其他框架并在发生异常时崩溃”的解决方案相同。
This question was previously asked and answered correctly, but there did not seem to be a solution posted.
If a site has iframes, and one wants to prevent those from being enclosed in a frame from a different domain, simplistic frame-busting will not be useful:
<script>if (top != self) top.location = location</script>
However, since cross-frame scripting to other domains should generate exceptions, something like this seems to work well inside the iframe:
<script>
try {
if (window.document.domain != top.document.domain) { // throws exception
throw "You naughty puppy!"; // Should not ever get here, right?
}
}
catch () {
top.location = "/error/naughtypuppy";
}
</script>
The if above should be enough on its own to prevent cross-domain framing of iframes. It should only ever return false or throw an exception, so is there anyway the script could reach the throw statement in a browser?
Would this be sufficient to prevent framing only from other domains?
<script>
try {
var bogus = top.document.domain;
}
catch () {
top.location = "/error/naughtypuppy";
}
</script>
Edit: A similar solution is hinted at here, but one would not rely on the parent frame to include the frame-busting code. Detect when iframe is cross-domain, then bust out of it . Essentially the same solution as "try to access the other frame and bust if an exception occurs."
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
该代码容易受到利用“onbeforeunload”功能的攻击。父(邪恶)页面设置一个间隔处理程序(由于域差异,它不会受到您的代码的影响)和一个“onbeforeunload”处理程序。第二个处理程序只是更新一些全局变量(也是无懈可击的)来记录窗口“受到攻击”的事实,然后间隔计时器(运行得足够快,应该能够在浏览器完成外部窗口之前激活)更新为您的合法 URL)会弹出并更新
window.location以指向某个攻击者控制的 URL,该 URL 返回无操作 204 响应。浏览器会忘记您的 HTTP 请求,并根据间隔处理程序发起的较新事务“更新”窗口。这是较旧的问题:Frame Buster Buster ...需要buster代码
That code is vulnerable to a form of attack that leverages the "onbeforeunload" feature. The parent (evil) page sets up a interval handler (which is invulnerable to your code, due to the domain difference) and an "onbeforeunload" handler. The second handler just updates some global variable (also invulnerable) to record the fact that the window is "under attack", and then the interval timer (running fast enough that it should be able to become active before the browser has completed the outer window update to your legit URL) pops up and updates
window.locationto point to some attacker-controlled URL that returns a no-op 204 response. The browser forgets about your HTTP request and "updates" the window from that newer transaction instigated by the interval handler instead.Here's the older SO question: Frame Buster Buster ... buster code needed
我的网站仍然有框架,但目前无法删除它们。这是我能找到的最佳解决方案:
从此链接: XFS 101-cross-frame-scripting-explained
基于以下演示:OWASP_AppSec_Research_2010_Busting_Frame_Busting_by_Rydstedt
这是更新的 OWasp 点击劫持页面
I have a site that still has frames and I can't remove them for now. This was the best solution I was able to find:
From this link: XFS 101-cross-frame-scripting-explained
Based on a presentation from: OWASP_AppSec_Research_2010_Busting_Frame_Busting_by_Rydstedt
Here is a more updated OWasp Clickjacking page