通过访问页面源来防止框架破坏
所以我们正在 iframe 中加载页面。该子页面是从与父页面位于同一域的缓存中加载的。然而,外部资源不会在本地缓存,而是从外部站点加载 - 包括 javascript。在一个站点中,我们有框架破坏代码:
if (top.location != self.location) {
top.location = self.location
}
现在我知道我们可以使用 coderr 但我不确定影响/连锁问题是什么。鉴于我们可以访问缓存的子页面,我想知道是否可以向子页面添加任何内容,以便覆盖任何方法或值,从而将帧破坏呈现为空。例如,在孩子的 中,我尝试添加以下内容:
<script type="text/javascript">
top.location = self.location
</script>
结果非常可怕
self.location = top.location
(第一个示例中无限嵌套,第二个示例中浏览器完全崩溃)。
对于我们可以添加到子级以使帧破坏无效的代码有什么建议吗?
否则,我们必须缓存 js 并解析/替换 Framebusting 脚本。
谢谢
R。
拜托 - 这是合法的!
So we are loading a page in an iframe. This child page is loaded from a cache on the same domain as the parent. However external assets are not cached locally, and are loaded from the external site - including javascript. In one site we have frame-busting code:
if (top.location != self.location) {
top.location = self.location
}
Now I know that we could use the solution from coderr but I'm not sure what the implications / knock on issues are. Given that we have access to the cached child page, I am wondering whether there is anything we can add to the child in order to override any methods or values in order to render null the framebusting. E.g in the <head> of the child I tried adding this:
<script type="text/javascript">
top.location = self.location
</script>
and
self.location = top.location
with pretty horrific results (infinite nesting in the first example, total and complete browser meltdown in the second).
Are there any suggestions for code we could add to the child to nullify the framebusting?
Else, we'll have to cache the js and parse out / replace framebusting script.
Thanks
R.
And please - this is legit!!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
不久前,我看到 Jeff Atwood 发表的一篇非常有趣的文章,他在其中谈到了一种“不可能”的对抗反帧破坏技术:
http://www.codinghorror.com/blog/2009/06/we-done-been-framed.html
它没有甚至不需要对子框架代码的特权访问!
I came across a very interesting post by Jeff Atwood a while ago, where he talks about an "impossible" to counter anti-frame-busting technique:
http://www.codinghorror.com/blog/2009/06/we-done-been-framed.html
It doesn't even require privileged access to the child frame's code!
使用 Tampermonkey 进行简单文本替换
如果使用正则表达式版本(替换文档中的所有匹配项),则需要转义特殊字符,例如
/和"与\符号仅替换单个匹配项:
这不适用于顶部有
确保设置了
@run-at document.start。Simple Text replacement with Tampermonkey
If using the regex version (replace all occurrences in the document) then you need to escape especial characters like
/and"with the\symbol.To replace only a single occurrence:
This will not work on pages that have the
<script>at the very top, up by the head.Make sure
@run-at document.startis set.