在 HTML 标记中插入包含潜在不受信任内容的 iframe 标记会产生哪些危险?

发布于 2024-11-03 04:21:16 字数 324 浏览 2 评论 0原文

在这篇 2003 年的博客文章中,Mark Pilgrim 建议 iframe 标记是危险的,应该将其作为 HTML 清理的一个组件进行删除:

http://diveintomark.org/archives/2003/06/12/how_to_consume_rss_safely

包含不受信任内容的 iframe 标记可以通过哪些方式有危险吗?

In this 2003 blog post, Mark Pilgrim suggests that iframe tags are dangerous, and should be stripped as a component of HTML sanitization:

http://diveintomark.org/archives/2003/06/12/how_to_consume_rss_safely

In what ways can an iframe tag containing untrusted content be dangerous?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

北凤男飞 2024-11-10 04:21:16

潜在的攻击范围相当广泛,唯一的优点是您在关于 DOM 的评论中所回避的内容,该 DOM 不允许一个域中的脚本直接与另一个域中的脚本交互(即 iframe 从非页面访问 cookie)。但是,无法保证 iframe 的“不受信任”内容本身不会包含任何数量的漏洞,包括可能重写框架内容的 XSS。

当然,iframe 可以执行各种级别的浏览器操作,例如重定向页面,这会使您容易受到 tabnapping 等攻击。或者 iframe 可以简单地提供一个不错的小恶意软件包。

在不受信任的网站上使用 iframe 的问题在于,对于最终用户来说,它集成得非常好,并且出于所有意图和目的,它是您网站的一部分。除了上述安全风险之外,您将被视为对内容负责,并且由于内容不受信任,您无法保证该内容是否令人反感。

简而言之,您希望对加载到该框架中的页面(即 Twitter 或 Facebook 按钮)的完整性充满信心。我当然不会允许将任意的、用户定义的页面加载到面向公众的网站中。

The potential attack scope is pretty broad and the only saving grace is what you eluded to in your comment regarding the DOM disallowing script form one domain directly interacting with that from another (i.e. iframe accessing cookies from the arent page). However, there's no guarantee that the "untrusted" contents of the iframe won't contain any number of vulnerabilities itself, including XSS which could rewrite the contents of the frame.

Then of course there are various levels of browser manipulation the iframe can perform such as redirecting the page which then makes you vulnerable to attacks like tabnapping. Or the iframe could simply serve up a nice little malware package.

The problem with having an iframe with an untrusted site is that to the end user, it's very well integrated and for all intents and purposes, it's part of your site. Beyond the security risks outlined above, you will be perceived to be responsible for the contents and given it's untrusted, you have no assurance as to whether that content is objectionable or not.

In short, you want to be pretty confident in the integrity of the page you're loading into that frame (i.e. Twitter or Facebook button). I certainly wouldn't be allowing an arbitrary, user defined page to be loaded into a publicly facing site.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文