限制HTML文档或iframe元素中允许的资源
[英]Restrict allowed resources in HTML document or iframe element
问题描述
I would like to allow uploading html files which might contain user created scripts that will be loaded using iframes. 
我想允许上传html文件,其中可能包含用户创建的脚本,这些脚本将使用iframe加载。 So naturally there's a lot of security concerns that need to be considered to protect anyone browsing the site. 因此自然需要考虑许多安全问题,以保护浏览该网站的任何人。
If the uploaded files contain scripts that make requests for external resources I would like to block them. 如果上载的文件包含请求外部资源的脚本,我想阻止它们。
I can think of 3 potential ways to accomplish this: 我可以想到3种可能的方法来实现此目的:
1) (Ideal) If it were possible to add some sort of rule on the iframe itself to block any data transfers with any server but my own. 1)(理想)如果可以在iframe本身上添加某种规则来阻止除我自己以外的任何服务器的数据传输。
2) Add some lines to the uploaded HTML files to restrict their own resources. 2)在上传的HTML文件中添加一些行以限制其自身的资源。 I found that this might work in some browsers with a meta tag 我发现这可能在某些带有meta标签的浏览器中有效
http-equiv="Content-Security-Policy"
However this doesn't seem to work in Firefox. 但是,这似乎在Firefox中不起作用。
3) Scan the uploaded files for any external requests. 3)扫描上传的文件是否有任何外部请求。 This is not a good solution though as people can probably always find a way to get around such filters. 尽管这不是一个好的解决方案,因为人们可能总是可以找到解决此类过滤器的方法。
Also, the "sandbox" attribute of iframes does not block external resources at all. 另外,iframe的“沙箱”属性根本不会阻止外部资源。
1 个解决方案
解决方案1
1 2016-02-10 09:01:37
CSP policies might help you if you want to control the loading of external resources loading. 如果要控制外部资源的加载, CSP策略可能会为您提供帮助。 But to be honest, I'm not sure it is mature and works across all browsers 但老实说,我不确定它是否成熟并且可以在所有浏览器中使用
If you want to control script execution inside your iframe... iframe sandbox attribute (html5) is interesting, and do the job. 如果您想在iframe中控制脚本的执行... iframe沙箱属性 (html5)很有趣,可以完成这项工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.