如何限制沙盒 iframe 可以连接到哪些域?
[英]How can I limit what domains a sandboxed iframe can connect to?
问题描述
I'm creating something like an app ecosystem where each app runs in a sandboxed iframe and processes sensitive data.
我正在创建类似应用程序生态系统的东西,其中每个应用程序都在沙盒 iframe 中运行并处理敏感数据。 I want to allow scripts, but I don't want the iframe to communicate with any 3rd party server or it might leak this data.我想允许脚本,但我不希望 iframe 与任何 3rd 方服务器通信,否则它可能会泄漏此数据。
Is there a way to enforce a whitelist like you can with Chrome extensions?有没有办法像 Chrome 扩展程序一样强制执行白名单? Am I going about this the wrong way?我会以错误的方式解决这个问题吗?
1 个解决方案
解决方案1
2 已采纳 2016-02-08 21:35:21
You will want to limit what domains can be connected to for all things, not just XHR (an img tag can leak data just as well).您需要限制所有事物可以连接到的域,而不仅仅是 XHR( img标签也可能泄漏数据)。 Modern browsers offer a feature to do this called Content Security Policy .现代浏览器提供了一个功能来做到这一点,称为内容安全策略。
In particular, to whitelist domains, you will want to return a header like the following:特别是,要将域列入白名单,您需要返回如下所示的标头:
Content-Security-Policy: default-src 'self' safedomain.com securedomain.com
Like anything security related, make sure you read up on the topic and understand the implications of what you are dealing with.与安全相关的任何事情一样,请确保您阅读了该主题并了解您正在处理的内容的含义。 Copy-pasting code from a Stack Overflow answer is not enough.从 Stack Overflow 答案中复制粘贴代码是不够的。
Also remember that some older browsers do not support this feature and will silently not enforce it, so you will probably want to detect this and prevent those browsers from exposing sensitive data.还请记住,一些较旧的浏览器不支持此功能,并且不会静默执行它,因此您可能希望检测到这一点并防止这些浏览器暴露敏感数据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.