阻止iframe设置parent.location(防止帧爆破)
[英]Block iframe from setting parent.location (prevent framebusting)
问题描述
I have a website on my own domain where i include iframes to other sites on other domains for quick preview purposes. 
我在自己的域中有一个网站,为了快速预览,我将iframe包含到其他域中的其他站点。
The problem is that some websites has framebusting code that redirects the user from my site. 问题在于某些网站具有框架无效代码,该代码会将用户从我的网站重定向。
How can i stop this. 我该如何阻止。 Even not showing the iframe at all would be better than the redirect in the case of a framebuster. 即使在完全不显示iframe的情况下,也比在帧破坏器的情况下重定向更好。
Shouldnt this redirect be blocked by the same site origin protection btw? 不应由同一站点起源保护阻止该重定向吗?
Update 更新资料
Ok, so it seems to be impossible to prevent it, but is it possible to just dont display the frame at all instead. 好的,因此似乎不可能阻止它,但是有可能根本不显示框架。
I tried with a double frame aproach: A and B is on my site, B contains C and when B gets window.onbeforeunload it sends a message to A to remove B. This didn't work either as the frames seem to have access all the way to the top window and not only the parent. 我尝试了一种双框方法:A和B在我的网站上,B包含C,并且当B进入window.onbeforeunload时它向A发送一条消息以删除B.这也没有用,因为这些框似乎可以访问所有到顶部窗口的方式,而不仅仅是父级。
window.onbeforeunload works for blocking the redirect btw but then you have to display a dialog. window.onbeforeunload用于阻止重定向btw,但随后必须显示一个对话框。
5 个解决方案
解决方案1
6 2010-09-19 17:50:48
This can't be done because you can't access the DOM of the page in the iframe if it violates the same-origin policy. 无法执行此操作,因为如果iframe违反了同源策略,则无法访问该页面的DOM。
Just don't do it. 只是不要这样做。 If people have framebusting code, they clearly don't want their page to be in a frame. 如果人们有框架无效代码,那么他们显然不希望其页面出现在框架中。 Respect that. 尊重这一点。
解决方案2
1 2010-09-19 18:54:08
How about running a test in a popup? 如何在弹出窗口中运行测试? Give it 20 seconds, if you still have control of the popup (ie the frame didn't change the document.url ) then load it in a new frame (?) and display to the user. 给它20秒钟,如果您仍然可以控制弹出窗口(即框架没有更改document.url ),则将其加载到新框架(?)中并显示给用户。 Otherwise, don't show a frame at all. 否则,不要显示任何框架。 It's not foolproof but could work. 它不是万无一失的,但可以工作。
解决方案3
0 2010-09-19 17:54:19
How can i stop this.
You can't. 你不能 If you could, it would defeat the purpose of having frame-busting code in the first place. 如果可以的话,它首先会破坏具有破坏帧代码的目的。
Shouldnt this redirect be blocked by the same site origin protection btw?
That only protects you from accessing/modifying the DOM (ie document object) of a page. 那只会保护您避免访问/修改页面的DOM(即document对象)。 Frame-busting code only uses the window object to both detect frames and redirect to another page. 框架无效代码仅使用window对象检测框架并重定向到另一个页面。
解决方案4
0 2010-09-19 18:07:41
It's a cat-and-mouse game, but framebusting can be defeated. 这是只猫捉老鼠的游戏,但可以击败帧破坏技术。
According to researchers (PDF) from Stanford University and Carnegie Mellon University, frame-busting isn't as effective at preventing clickjacking as hoped.
The original article on eweek ; eweek上的原始文章;
The research paper from Stanford (PDF) 斯坦福大学的研究论文(PDF)
解决方案5
0 2010-09-19 18:50:14
If all you want is a preview of the website there are a number of services out there that do that. 如果您只想预览该网站,则可以使用许多服务。 I have not used any, but a quick Google search finds this one 我没有用过,但是通过Google的快速搜索找到了
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.