如何防止 iframe 显示外部网站?
[英]How to prevent an iframe to display external websites?
问题描述
Let's say I display an iFrame on iframe.domain.com.
假设我在 iframe.domain.com 上显示了一个 iFrame。 I want this iframe to be able to display content from iframe.domain.com or sub.domain.com.我希望这个 iframe 能够显示来自 iframe.domain.com 或 sub.domain.com 的内容。 But those websites contain link to external websites, for example google.com.但这些网站包含指向外部网站的链接,例如 google.com。 If the users clicks on a link redirecting him to google.com, I want the iFrame to be redirected to sub.domain.com如果用户单击将他重定向到 google.com 的链接,我希望将 iFrame 重定向到 sub.domain.com
How can I do that?我怎样才能做到这一点?
3 个解决方案
解决方案1
0 2015-08-05 10:43:10
You can use e.preventDefault() to achieve this to achieve this您可以使用e.preventDefault()来实现此目的
now to get the onclick handler set on the links in your frame you can use this function现在要在框架中的链接上设置 onclick 处理程序,您可以使用此函数
function onLoadIF(frame)
{
var elements = frame.getElementsByTagName('a'),
len = elements.length;
while( len-- ) {
$(elements[len]).on('click', function(e){
e.preventDefault();
}
}
}
解决方案2
0 2015-08-05 12:31:22
I want to expand what Arno_Geismar said.我想扩展 Arno_Geismar 所说的内容。
You have other options:您还有其他选择:
1) HTML5! 1)HTML5!
<iframe sandbox="value">
The sandbox attribute will:沙箱属性将:
The sandbox attribute enables an extra set of restrictions for the content in the iframe. sandbox 属性为 iframe 中的内容启用一组额外的限制。
When the sandbox attribute is present, and it will:当存在沙箱属性时,它将:
- treat the content as being from a unique origin将内容视为来自独特的来源
- block form submission阻止表单提交
- block script execution阻止脚本执行
- disable APIs禁用 API
- prevent links from targeting other browsing contexts防止链接针对其他浏览上下文
- prevent content from using plugins (through , , , or other)阻止内容使用插件(通过 、 、 或其他)
- prevent the content to navigate its top-level browsing context阻止内容导航其顶级浏览上下文
- block automatically triggered features (such as automatically playing a video or automatically focusing a form control)阻止自动触发的功能(例如自动播放视频或自动聚焦表单控件)
The value of the sandbox attribute can either be just sandbox (then all restrictions are applied), or a space-separated list of pre-defined values that will REMOVE the particular restrictions.沙箱属性的值可以只是沙箱(然后应用所有限制),也可以是将删除特定限制的以空格分隔的预定义值列表。
2) Javascript: If you're using jquery you could simply put this 2)Javascript:如果你使用jquery,你可以简单地把这个
$(document).ready(function(){
$('a').click(function(event) {
event.preventDefault();
});
});
Which is basically (almost) the same solution Arno_Geismar gave to you.这基本上(几乎)与 Arno_Geismar 给您的解决方案相同。 The difference here is that I didn't need to loop through all "a" elements, thus improving a little the perfomance这里的区别在于我不需要遍历所有“a”元素,从而稍微提高了性能
解决方案3
0 2021-07-26 08:35:36
I was having this issue and the solution I settled on was this:我遇到了这个问题,我确定的解决方案是:
Put a Content-Security-Police
metatag in your<header>section:将 Content-Security-Police meta标记放在您的<header>部分:<meta http-equiv="Content-Security-Policy" content="frame-src https://desired_domain.com/">Use the
sandboxattribute in your<iframe>if you want to prevent links from opening a new tab:如果您想阻止链接打开新选项卡,请使用<iframe>的sandbox属性:<iframe src="https://desired_url.com" sandbox="allow-same-origin allow-scripts"></iframe>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.