当前位置：文江博客话题详情

是否有客户端方法来检测 X-Frame-Options？

发布于 2024-12-12 11:23:43 字数 97 浏览 0 评论 0原文

有没有什么好的方法可以检测页面何时由于 X-Frame-Options 标头而不会在框架中显示？我知道我可以请求页面服务器端并查找标头，但我很好奇浏览器是否有任何机制来捕获此错误。

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

热情消退 2024-12-19 11:23:43

好吧，这个已经很旧了，但仍然相关。

事实：
当 iframe 加载被 X-Frame-Options 阻止的 url 时，加载时间非常短。

黑客：
因此，如果加载立即发生，我知道这可能是 X-Frame-Options 问题。

免责声明：
这可能是我写过的“最黑客”的代码之一，所以不要期望太多：

var timepast=false; 
var iframe = document.createElement("iframe");

iframe.style.cssText = "position:fixed; top:0px; left:0px; bottom:0px; right:0px; width:100%; height:100%; border:none; margin:0; padding:0; overflow:hidden; z-index:999999;";
iframe.src = "http://pix.do"; // This will work
//iframe.src = "http://google.com"; // This won't work
iframe.id = "theFrame";

// If more then 500ms past that means a page is loading inside the iFrame
setTimeout(function() {
    timepast = true;
},500);

if (iframe.attachEvent){
    iframe.attachEvent("onload", function(){
    if(timepast) {
            console.log("It's PROBABLY OK");
        }
        else {
            console.log("It's PROBABLY NOT OK");
        }
    });
} 
else {
    iframe.onload = function(){
        if(timepast) {
            console.log("It's PROBABLY OK");
        }
        else {
            console.log("It's PROBABLY NOT OK");
        }
    };
}
document.body.appendChild(iframe);

OK, this one is old but still relevant.

Fact:
When an iframe loads a url which is blocked by a X-Frame-Options the loading time is very short.

Hack:
So if the onload occurs immediately I know it's probably a X-Frame-Options issue.

Disclaimer:
This is probably one of the 'hackiest' code I've written, so don't expect much:

var timepast=false; 
var iframe = document.createElement("iframe");

iframe.style.cssText = "position:fixed; top:0px; left:0px; bottom:0px; right:0px; width:100%; height:100%; border:none; margin:0; padding:0; overflow:hidden; z-index:999999;";
iframe.src = "http://pix.do"; // This will work
//iframe.src = "http://google.com"; // This won't work
iframe.id = "theFrame";

// If more then 500ms past that means a page is loading inside the iFrame
setTimeout(function() {
    timepast = true;
},500);

if (iframe.attachEvent){
    iframe.attachEvent("onload", function(){
    if(timepast) {
            console.log("It's PROBABLY OK");
        }
        else {
            console.log("It's PROBABLY NOT OK");
        }
    });
} 
else {
    iframe.onload = function(){
        if(timepast) {
            console.log("It's PROBABLY OK");
        }
        else {
            console.log("It's PROBABLY NOT OK");
        }
    };
}
document.body.appendChild(iframe);

回复收藏 0 原文

栩栩如生 2024-12-19 11:23:43

免责声明：我在 2012 年写的这个答案（当时 Chrome 的版本约为 20）已经过时，我将其保留在这里仅用于历史目的。阅读和使用风险自负。

好吧，这是一个有点老的问题，但这是我针对 Chrome/Chromium 发现的内容（这不是完整的答案）。

检测指向外部地址的框架是否已加载的方法只是尝试访问其 contentWindow 或文档。

这是我使用的代码：

element.innerHTML = '<iframe class="innerPopupIframe" width="100%" height="100%" src="'+href+'"></iframe>';
myframe = $(element).find('iframe');

然后，稍后：

try {
    var letstrythis = myframe.contentWindow;
} catch(ex) {
    alert('the frame has surely started loading');
}

事实是，如果 X-Frame-Options 禁止访问，则 myFrame.contentWindow 将可以访问。

这里的问题就是我所说的“然后，稍后”。我还没有弄清楚该依赖什么，订阅哪个事件来找到何时是执行测试的好时机。

Disclaimer: this answer I wrote in 2012(Chrome was version ~20 at that time) is outdated and I'll keep it here for historical purposes only. Read and use at your own risk.

Ok, this is a bit old question, but here's what I found out (it's not a complete answer) for Chrome/Chromium.

the way do detect if a frame pointing to a foreign address has loaded is simply to try to access its contentWindow or document.

here's the code I used:

element.innerHTML = '<iframe class="innerPopupIframe" width="100%" height="100%" src="'+href+'"></iframe>';
myframe = $(element).find('iframe');

then, later:

try {
    var letstrythis = myframe.contentWindow;
} catch(ex) {
    alert('the frame has surely started loading');
}

the fact is, if the X-Frame-Options forbid access, then myFrame.contentWindow will be accessible.

the problem here is what I called "then, later". I haven't figured out yet on what to rely, which event to subsribe to find when is the good time to perform the test.

回复收藏 0 原文

潦草背影 2024-12-19 11:23:43

这是基于 @Iftach 的答案，但稍微不那么老套。

它检查是否iframe.contentWindow.length > > 0 这表明 iframe 已成功加载。

此外，它还会检查 iframe onload 事件是否在 5 秒内触发并发出警报。这捕获了混合内容加载失败的情况（尽管以一种 hacky 的方式）。

var iframeLoaded = false;
var iframe = document.createElement('iframe');

// ***** SWAP THE `iframe.src` VALUE BELOW FOR DIFFERENT RESULTS ***** //
// iframe.src = "https://davidsimpson.me"; // This will work
iframe.src = "https://google.com"; // This won't work

iframe.id = 'theFrame';
iframe.style.cssText = 'position:fixed; top:40px; left:10px; bottom:10px;'
 + 'right:10px; width:100%; height:100%; border:none; margin:0; padding:0; overflow:hidden; z-index:999999;';

var iframeOnloadEvent = function () {
    iframeLoaded = true;
  var consoleDiv = document.getElementById('console');
    if (iframe.contentWindow.length > 0) {
    consoleDiv.innerHTML = '✔ Content window loaded: ' + iframe.src;
    consoleDiv.style.cssText = 'color: green;'
    } else {
    consoleDiv.innerHTML = '✘ Content window failed to load: ' + iframe.src;
    consoleDiv.style.cssText = 'color: red;'
    }
} 

if (iframe.attachEvent){
    iframe.attachEvent('onload', iframeOnloadEvent);
} else {
    iframe.onload = iframeOnloadEvent;
}
document.body.appendChild(iframe);

// iframe.onload event doesn't trigger in firefox if loading mixed content (http iframe in https parent) and it is blocked.
setTimeout(function () {
    if (iframeLoaded === false) {
        console.error('%c✘ iframe failed to load within 5s', 'font-size: 2em;');
    consoleDiv.innerHTML = '✘ iframe failed to load within 5s: ' + iframe.src;
    consoleDiv.style.cssText = 'color: red;'    
  }
}, 5000);

现场演示 - https://jsfiddle.net/dvdsmpsn/7qusz4q3/ - 这样你就可以测试在相关浏览器中即可。

在撰写本文时，它适用于 Chrome、Safari、Opera、Firefox、Vivaldi 和 Firefox 的当前版本。 Internet Explorer 11。我没有在其他浏览器中测试过。

This is based on @Iftach's answer, but is a slightly less hacky.

It checks to see if iframe.contentWindow.length > 0 which would suggest that the iframe has successfully loaded.

Additionally, it checks to see if the iframe onload event has fired within 5s and alerts that too. This catches failed loading of mixed content (in an albeit hacky manner).

var iframeLoaded = false;
var iframe = document.createElement('iframe');

// ***** SWAP THE `iframe.src` VALUE BELOW FOR DIFFERENT RESULTS ***** //
// iframe.src = "https://davidsimpson.me"; // This will work
iframe.src = "https://google.com"; // This won't work

iframe.id = 'theFrame';
iframe.style.cssText = 'position:fixed; top:40px; left:10px; bottom:10px;'
 + 'right:10px; width:100%; height:100%; border:none; margin:0; padding:0; overflow:hidden; z-index:999999;';

var iframeOnloadEvent = function () {
    iframeLoaded = true;
  var consoleDiv = document.getElementById('console');
    if (iframe.contentWindow.length > 0) {
    consoleDiv.innerHTML = '✔ Content window loaded: ' + iframe.src;
    consoleDiv.style.cssText = 'color: green;'
    } else {
    consoleDiv.innerHTML = '✘ Content window failed to load: ' + iframe.src;
    consoleDiv.style.cssText = 'color: red;'
    }
} 

if (iframe.attachEvent){
    iframe.attachEvent('onload', iframeOnloadEvent);
} else {
    iframe.onload = iframeOnloadEvent;
}
document.body.appendChild(iframe);

// iframe.onload event doesn't trigger in firefox if loading mixed content (http iframe in https parent) and it is blocked.
setTimeout(function () {
    if (iframeLoaded === false) {
        console.error('%c✘ iframe failed to load within 5s', 'font-size: 2em;');
    consoleDiv.innerHTML = '✘ iframe failed to load within 5s: ' + iframe.src;
    consoleDiv.style.cssText = 'color: red;'    
  }
}, 5000);

Live demo here - https://jsfiddle.net/dvdsmpsn/7qusz4q3/ - so you can test it in the relevant browsers.

At time of writing, it works on the current version on Chrome, Safari, Opera, Firefox, Vivaldi & Internet Explorer 11. I've not tested it in other browsers.

回复收藏 0 原文

箜明 2024-12-19 11:23:43

我唯一能想到的就是代理一个针对url的AJAX请求，然后查看标头，如果它没有X-Frame-Options，则在iframe中显示它。远非理想，但总比没有好。

回复收藏 0 原文

情定在深秋 2024-12-19 11:23:43

至少在 Chrome 中，您可以注意到加载失败，因为 iframe.onload 事件没有触发。您可以将其用作该页面可能不允许 iframe 的指示器。

回复收藏 0 原文

故人如初 2024-12-19 11:23:43

在线测试工具可能会有用。
我使用了 https://www.hurl.it/。
您可以清楚地看到响应头。
寻找 X 框架选项。如果值为拒绝 - 它将不会显示在 iframe 中。
同源-仅来自同一域，
允许 - 将允许来自特定网站。

如果你想尝试其他工具，你可以简单地谷歌搜索“http request test online”。

回复收藏 0 原文

甜警司 2024-12-19 11:23:43

这就是我检查 X-Frames-Options 以满足我的要求之一的方式。加载 JSP 页面时，您可以使用 AJAX 向特定 URL 发送异步请求，如下所示：

var request = new XMLHttpRequest();
request.open('GET', <insert_URL_here>, false);
request.send(null);

完成此操作后，您可以读取收到的响应标头，如下所示：

var headers = request.getAllResponseHeaders();

然后您可以对其进行迭代以找出X 框架选项。一旦获得该值，就可以按照适当的逻辑使用它。

This is how I had checked for X-Frames-Options for one of my requirements. On load of a JSP page, you can use AJAX to send an asynchronous request to the specific URL as follows:

var request = new XMLHttpRequest();
request.open('GET', <insert_URL_here>, false);
request.send(null);

After this is done, you can read the response headers received as follows:

var headers = request.getAllResponseHeaders();

You can then iterate over this to find out the value of the X-Frames-Options. Once you have the value, you can use it in an appropriate logic.

回复收藏 0 原文

醉城メ夜风 2024-12-19 11:23:43

这可以通过以下方式实现：

a) 通过 CreateElement 创建一个新的 IFrame

b) 将其显示设置为“none”

c) 通过 src 属性加载 URL

d) 为了等待 iframe 加载，请使用 SetTimeOut 方法来延迟 a)函数调用（我将调用延迟了 10 秒）

e) 在该函数中，检查 ContentWindow 长度。

f) 如果长度> 0，则加载 url，否则由于 X-Frame-Options，未加载 URL

下面是示例代码：

function isLoaded(val) {
var elemId = document.getElementById('ctlx');
if (elemId != null)
    document.body.removeChild(elemId);


var obj= document.createElement('iframe');

obj.setAttribute("id", "ctlx");

obj.src = val;
obj.style.display = 'none';

document.body.appendChild(obj);

setTimeout(canLoad, 10000);  

}

function canLoad() {
//var elemId = document.getElementById('ctl100');
var elemId = document.getElementById('ctlx');
if (elemId.contentWindow.length > 0) {
    elemId.style.display = 'inline';

}

else {
    elemId.src = '';
    elemId.style.display = 'none';
    alert('not supported');
}
}

This can be achieved through

a) Create a new IFrame through CreateElement

b) Set its display as 'none'

c) Load the URL through the src attribute

d) In order to wait for the iframe to load, use the SetTimeOut method to delay a function call (i had delayed the call by 10 sec)

e) In that function, check for the ContentWindow length.

f) if the length > 0, then the url is loaded else URL is not loaded due to X-Frame-Options

Below is the sample code:

function isLoaded(val) {
var elemId = document.getElementById('ctlx');
if (elemId != null)
    document.body.removeChild(elemId);


var obj= document.createElement('iframe');

obj.setAttribute("id", "ctlx");

obj.src = val;
obj.style.display = 'none';

document.body.appendChild(obj);

setTimeout(canLoad, 10000);  

}

function canLoad() {
//var elemId = document.getElementById('ctl100');
var elemId = document.getElementById('ctlx');
if (elemId.contentWindow.length > 0) {
    elemId.style.display = 'inline';

}

else {
    elemId.src = '';
    elemId.style.display = 'none';
    alert('not supported');
}
}

回复收藏 0 原文

~没有更多了~