堆栈内存溢出
  简体   繁体   English

包含第三方iFrame的安全风险

[英]Security Risks of Including a 3rd Party iFrame

 原文  2013-10-16 15:15:33       javascript/ security

问题描述

What are the application security risks of including a hidden 3rd Party iFrame? 包含隐藏的第三方iFrame有哪些应用程序安全风险?

If I understand correctly... 如果我理解正确的话......

  • Click jacking isn't an issue for me because I own the parent page 点击顶起对我来说不是问题,因为我拥有父页面
  • Same-Origin Policy prevents 3p frame from interacting my dom/cookies/js 同源策略阻止3p帧与我的dom / cookies / js交互
  • The frame is hidden, so I don't have to worry about anything that may be displayed in the frame 框架是隐藏的,所以我不必担心框架中可能显示的任何内容

However I did some experiments in the Chrome console and... 但是我在Chrome控制台中做了一些实验并且......

  • 3p frame can call things like alert/prompt 3p帧可以调用警报/提示等内容
  • 3p frame can redirect the parent via location.href 3p帧可以通过location.href重定向父
  • Malware inside the 3p frame (java/flash/activeX) could infect my user 3p帧内的恶意软件(java / flash / activeX)可能会感染我的用户

I'd love to see a list of the possible issues and any mitigations, but I can't find a good source of information. 我很想看到可能的问题和任何缓解措施的清单,但我找不到一个好的信息来源。

So...What are the application security risks of including a hidden 3rd Party iFrame? 那么......包含隐藏的第三方iFrame的应用程序安全风险是什么?

1 个解决方案

解决方案1
 1  2013-10-16 15:39:15

If you are implementing Iframes on your website, you could use the sandbox tag in HTML5' iframe to prevent yourself/others on your website. 如果您要在自己的网站上实施Iframe,则可以使用HTML5的iframe中的sandbox标记来阻止您自己/网站上的其他人。

Source: http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-sandbox 资料来源: http//www.whatwg.org/specs/web-apps/current-work/multipage/the-if​​rame-element.html#attr-iframe-sandbox

I don't know how effective it is (the sandbox feature), but it states it can restrict scripts, forms etc inside the iframe. 我不知道它有多有效(沙箱功能),但它声明它可以限制iframe内的脚本,表单等。

<iframe sandbox="" src="www.example.com"/>

Although not a guaranteed and effective method, it's one of many different ways. 虽然不是一种有保证和有效的方法,但它是众多不同方法中的一种。 On your end though, you could use add-ons such as NoScript to prevent certain/all scripts from running. 但是,在您的最后,您可以使用NoScript等附加组件来阻止某些/所有脚本运行。

It's possible that the 3rd party iframe, as you said, could use exploits such as drive-by-downloads, browser exploits to gain access to your OS and possibly more. 正如你所说,第三方iframe可能会使用诸如下载驱动,浏览器漏洞等攻击来获取对操作系统的访问权限,甚至更多。

See also here: Why are iframes considered dangerous and a security risk? 另见此处: 为什么iframe被认为是危险的并且存在安全风险?

Hope this helps. 希望这可以帮助。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 托管第三方Javascripts有哪些风险? - What are the risks associated with Hosting 3rd party Javascripts? 是否包含所有这些第三方JavaScript文件会带来安全风险? - Does including all these 3rd party javascript files impose a security risk? 替换第 3 方 iframe 中的脚本 - Replace scripts inside 3rd party iframe 在 Apostrophe CMS 项目中包含外部 3rd 方脚本 - Including External 3rd party scripts in Apostrophe CMS project 加载第三方iframe时如何删除加载的gif - How to remove a loading gif when 3rd party iframe is loaded 模态为第三方iFrame时如何关闭模态 - How to close a modal when modal is 3rd party iFrame 将第3方iframe网址更改为不弹出(_blank) - Change 3rd party iframe url to forward not popup (_blank) 是否可以使用iframe跟踪来自第三方的IP或流量 - is it possible to track ip or traffic from 3rd party using iframe 在第 3 方域的 iFrame 中运行 GTM 事件跟踪 - Running GTM Event Tracking in an iFrame on a 3rd party domain Safari 3rd party cookie iframe 技巧不再有效? - Safari 3rd party cookie iframe trick no longer working?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM