为什么iframe可以从其他域更改父窗口的URL?
[英]Why can an iframe change the parent window's URL from a different domain?
问题描述
I have two domains: 
我有两个域名:
sub1.domain.org contains an iframe with its src pointing to the other: sub2.domain.org sub1.domain.org包含一个iframe,其src指向另一个:sub2.domain.org
On sub2: 在sub2:
//triggers a cross-domain security error
alert(window.parent.location.href);
//executes just fine on FF, IE, Chrome, and Safari.
window.parent.location.href = new_url;
So it appears I'm allowed to write to the parent window's URL, but I'm not allowed to read it. 所以看来我可以写入父窗口的URL,但我不允许读它。 Is that really the standard? 这真的是标准吗? I just need to know why this is working as it does. 我只需要知道为什么这样做。
I found one answer here: Why can a child redirect a parent frame? 我在这里找到了一个答案: 为什么孩子可以重定向父框架?
the Same origin policy doesn't apply here, either.
But this answer prompts other follow up questions. 但是这个答案提示了其他后续问题。
When we change the parent's URL, aren't we still technically modifying the parent's DOM (even if it closes it) and therefore violating the same-origin policy? 当我们更改父级的URL时,我们是否仍然在技术上修改父级的DOM(即使它关闭它),因此违反了同源策略?
How exactly would the internet be dead if the same origin policy applied here? 如果在这里应用相同的原始政策,互联网究竟会如何死? Surely we can differentiate manually entering URLs in the address bar from changing it via scripts on separate domains. 当然,我们可以区分手动输入地址栏中的URL,而不是通过不同域上的脚本进行更改。
I understand that this case is not violating the same-origin policy, but I'm still struggling to understand exactly why. 我知道这个案子并没有违反同源政策,但我仍然在努力弄清楚原因。 Can anyone shed additional insight as to why this is allowed? 任何人都可以进一步了解为什么允许这样做?
1 个解决方案
解决方案1
0 2015-06-09 03:56:41
It is not a security problem for an iframe to change the URL of a parent window. iframe更改父窗口的URL不是安全问题。 That just loads a new page into the parent window (thus killing the iframe that was contained in the original parent). 这只是将一个新页面加载到父窗口中(从而杀死原始父级中包含的iframe)。 There's no security issue there. 那里没有安全问题。
The iframe from a different origin is (as you have noticed) not allowed to access the content of a parent as that could be a security issue. 来自不同来源的iframe(正如您所注意到的)不允许访问父级的内容,因为这可能是安全问题。
FYI, the reverse is also true. 仅供参考,反之亦然。 A parent frame can create an iframe and set it's .src to whatever it wants, including other domains, but cannot access the content that loads. 父框架可以创建iframe并将其.src设置为它想要的任何内容,包括其他域,但无法访问加载的内容。 The core issue here is that it is not a security problem to display content from other domains, but it can be a security issue to access the actual content from a different origin. 这里的核心问题是显示来自其他域的内容不是安全问题,但访问来自不同来源的实际内容可能是一个安全问题。 So, you're generally allowed to display whatever you want, just not access it. 因此,您通常可以显示您想要的任何内容,而不是访问它。
FYI, the ability to detect whether you are being framed and "bust" out of the frame by resetting the parent window source URL is known as "frame busting" and it is considered a content provider's right to decide whether or not they can be framed or not or who they can be framed by. 仅供参考,通过重置父窗口源URL来检测您是否被框架和“破坏”的能力被称为“框架破坏”,并且它被视为内容提供商决定是否可以框架的权利是否或他们可以被诬陷。 There are now newer controls that specify whether a site can be framed or not so frame busting is not required in newer browsers. 现在有更新的控件指定网站是否可以框架,因此在较新的浏览器中不需要框架破坏。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.