确保 iframe 内容无法通过 javascript 访问父级
虽然我知道如果域、协议等不匹配,xss 规则应该适用于 iframed 内容,但我想知道是否有任何方法可以进一步确保 iframed 内容无法通过 javascript 访问父级。
例如,即使域端口和协议确实匹配。
基本思想是这样的:
1)domain.com 包含多个包含第三方广告的 iframe
2)包含横幅代码的 iframe 托管在 ads.domain.com 上
3)在大多数情况下,第 3 方广告是通过某些东西加载的例如,在 ads.domain.com 上托管的框架内:
<script type="text/javascript" src="http://www.3rd-party-ad-provider.....
我们是否可以采取任何进一步的步骤来最终实现如下场景:
第 3 方 <有访问权限> ads.domain.com <无法访问> domain.com(家长持有广告 iframe),
甚至欢迎仅在最新浏览器上兼容的步骤。有什么可以改善这一点的。我们看到相当多的 js 错误泄漏,我假设至少其中一些是由错误的广告代码破坏父(最顶层)文档正文引起的。
谢谢!
while i know that xss rules should apply to iframed content if the domain, protocol etc do not match, i was wondering if there is any way to further ensure that iframed content cannot access the parent via javascript.
for example, even if the domain port and protcol DO match.
the basic idea is as such:
1) domain.com contains multiple iframes containing 3rd party advertisements
2) the iframes that contain the banner code are hosted on ads.domain.com
3) in most cases, the 3rd party advertisements are loaded via something like, inside the frames that are hosted on ads.domain.com:
<script type="text/javascript" src="http://www.3rd-party-ad-provider.....
is there any further steps we can take to end up with a scenario as follows:
3rd party < HAS ACCESS > ads.domain.com < NO ACCESS > domain.com (parent holding the ad iframes)
even steps that are only compatible on recent browsers are welcome. anything to improve this. we are seeing quite a bit of js errors leaking thru and i am assuming that at least some of it is caused by faulty ad code mangling the parent (top-est) document body.
merci!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
没有什么可以跨浏览器工作或没有副作用。
同源策略可以做到这一点。
如果 JS 在某个框架中出错,那么它仍然会出错。它不应该触及顶层框架,但浏览器会报告错误。
由于您正在处理第三方内容,因此您无法
捕获错误。您可以简单地对广告商采取强硬立场,拒绝未通过质量控制的广告。您必须权衡拒绝广告的成本与改善访问者体验的好处。
Nothing that works cross-browser or without side effects.
The same origin policy does that.
If JS errors in a frame, then it still errors. It shouldn't touch the top level frame, but browsers will report the errors.
Since you are dealing with third party content, you can't
catchthe errors.You could simply take a hard line with the advertisers and reject adverts that don't pass quality control. You'll have to weigh the cost of turning adverts down with the benefits of the improved experience for visitors.