如何禁止框架
[英]How to forbid framing
问题描述
I have recently noticed that stack overflow "for security reasons" does not allow framing. 
我最近注意到“出于安全原因”堆栈溢出不允许框架。
1) How was this done? 1)这是怎么做到的? (Not is SO specific case! I mean the technique/language etc, for some reason I guess is js) (不是特定情况!我的意思是技术/语言等,出于某种原因,我猜是js)
2) Is it actually avoiding it or just a warning (sort of like client side validation) 2)它实际上是避免它还是只是警告(有点像客户端验证)
3) Should this always be done or are there specific reasons for doing this and is not necesary in most of the cases (this is the first time I've seen it) 3)是否应该这样做或者是否有特定的理由这样做,并且在大多数情况下不是必要的(这是我第一次见到它)
Thanks in advance!!! 提前致谢!!!
3 个解决方案
解决方案1
9 已采纳 2010-12-12 01:12:44
1) Frame busting is always done on the client: since the server is never told that a page is requested to be used in a frame, it has to be done client-side. 1)框架破坏总是在客户端上完成:由于服务器永远不会被告知要求在框架中使用页面,因此必须在客户端完成。 Recent browsers support a special HTTP header called X-Frame-Options to prevent displaying a page in a frame, but for removing the frames or for older browser versions, you need Javascript. 最近的浏览器支持一个名为X-Frame-Options的特殊HTTP标头,以防止在框架中显示页面,但是为了删除框架或旧浏览器版本,您需要Javascript。 (Thanks to ide for pointing this out!) (感谢ide指出这个!)
2) Assuming you don't use the HTTP header, then if Javascript is turned off, then the frame will stay. 2)假设您不使用HTTP标头,那么如果关闭Javascript,则框架将保留。 There's no way around that, since it has to happen client-side. 没有办法解决这个问题,因为它必须在客户端发生。
3) It was actually fairly common some years ago, although it seems most sites have stopped using it by now. 3)几年前它实际上相当普遍,虽然现在看来大多数网站都停止使用它。 One reason you might still use it is to prevent clickjacking . 您可能仍然使用它的一个原因是防止点击劫持 。
Now, it just so happens that frame busting can be busted , and there's actually an SO question about how frame-busting busters can be busted - SO is currently using this kind of anti-anti-frame busting. 现在,碰巧框架破坏可能被破坏 ,实际上还有一个关于如何破坏破坏框架的破坏者的问题 - 目前正在使用这种反框架破坏。
(Of course, it could be the case that this anti-anti-frame busting can itself be busted, in which case there might be a way to bust the anti-anti-frame-busting buster, and I'm sure you see where this is going.) (当然,可能是这种反框架破坏本身可以被破坏的情况,在这种情况下可能有一种方法来破坏反框架破坏的破坏者,我敢肯定你看到哪里这是。)
解决方案2
1 2010-12-12 01:04:04
请参阅有关框架断路器的这篇文章: http : //www.codinghorror.com/blog/2009/06/we-done-been-framed.html
解决方案3
0 2010-12-12 01:02:10
Have you tried: http://www.cryer.co.uk/resources/javascript/script1.htm I would assume SO is using javascript to accomplish it meaning that it could be bypassed by a user who dosen't have javascript enabled or maybe by sometime of advanced on the fly html/javascript modification. 您是否尝试过: http : //www.cryer.co.uk/resources/javascript/script1.htm我会假设SO正在使用javascript来完成它意味着它可以被没有启用javascript的用户绕过或者也许通过某些时候的高级飞行html / javascript修改。 I believe it is completely client side. 我相信它完全是客户端。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.