如何检查人们是否在为我的网站内容发送
嗨,我正计划实现X-Frame-Options安全标头,并想知道它将引起哪些网站引起任何已嵌入我的网站内容的问题。
Hi I am planning to implement X-frame-options security header and want to know which sites it will cause any issues who have embedded my site content.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
对于X-Frame选项,这并不容易,但是可以使用内容安全性来完成。现在,由于所有相关浏览器现在都了解内容安全性,您实际上不再需要X帧选项了。
如果您只想知道而不必实际阻止任何网站,则可以从仅限内容进行报道开始,但是,如果您不在乎它们是否被阻止,则可以使用内容 - 安全性。您可以这样定义它:
框架 - 委托人指令限制了哪些站点可以构建您的站点,而“自我”的值与X框架选项中的“ self”相同。
报告-URI指令定义了应发送违规报告的位置。另外,您可以使用报告指令。有关此的详细信息,请参见Eg https://content-security-policy.com/ 报告服务您可以使用 https://report-uri.com/ 有一个免费的小报告层卷。
请注意,在大多数情况下,这些报告不会为您提供试图构架网站的网站的主机或URL。这是由于隐私问题所致,因为URL可能包括身份验证或个人信息。但是它将告诉您您的网站是否在框架中呈现。
如果您想了解哪些站点实际上正在构建您的网站,则可以在策略中的某个地方包含推荐人。将推荐人的主机添加到当前未使用的指令中,并确保不包含完整的URL:
如果您的报告服务显示您违反了完整的策略,则报告现在将包括框架网站的主机。
This isn't easy with x-frame-options but can be done with Content-Security-Policy. You don't really need x-frame-options anymore now that IE is retired as all relevant browsers now understand Content-Security-Policy.
If you just want to know without actually blocking any sites you can start with Content-Security-Policy-Report-Only, but if you don't care if they are blocked, you can use Content-Security-Policy. You can define it like this:
The frame-ancestors directive restricts which sites can frame your site and the value 'self' is the same as "sameorigin" in x-frame-options.
The report-uri directive defines where violation reports should be sent. Alternatively you can use the report-to directive. For details on this see e.g. https://content-security-policy.com/ and for a report service you can use https://report-uri.com/ which has a free tier for small report volumes.
Note that the reports will in most cases not give you the host or URL of the site that tried to frame your site. This is due to privacy concerns as URLs could include authentication or personal information. But it will tell you if your site is presented in a frame.
If you want to understand which sites are actually framing your site you can include the referrer somewhere in the policy. Add the host of the referrer to a directive which isn't currently in use, and make sure not to include the full URL:
The reports will now include the host of the framing sites if your reporting service shows you the full policy being violated.