[英]prevent iframe from changing parent location
Suppose http://a.com/foo contains <iframe src="http://b.com/bar">
假设http://a.com/foo包含
<iframe src="http://b.com/bar">
Sometimes b.com/bar will break out of its frame: the top-level window will redirect away from a.com/foo into b.com/bar. 有时b.com/bar会突破其框架:顶级窗口将从aff重定向到b.com/bar。 I don't know how b.com is doing this.
我不知道b.com是如何做到这一点的。
I thought it wasn't possible for a cross-domain iframe to interfere with the parent unless the parent cooperates via postMessage. 我认为跨域iframe不可能干扰父级,除非父级通过postMessage进行合作。 Is changing the window location exempt from this?
是否正在更改窗口位置?
If that is what's happening, how can a.com prevent this redirect? 如果发生了这种情况,a.com如何阻止这种重定向? I control a.com but cannot modify b.com.
我控制a.com但无法修改b.com。
If that's not what's happening, how can I find out what b.com is doing to achieve the redirect? 如果这不是正在发生的事情,我怎样才能找出b.com正在做什么来实现重定向?
It would be acceptable to force b.com to load itself into a new window, or sabotage its access to the top
or parent
objects. 强制b.com将自身加载到新窗口,或破坏其对
top
或parent
对象的访问是可以接受的。 Other degradations of b.com's behaviour may be acceptable. b.com行为的其他降级可能是可以接受的。
Parent can use sandbox
attribute on iframe
: 父可以在
iframe
上使用sandbox
属性:
http://www.w3schools.com/TAgs/att_iframe_sandbox.asp http://www.w3schools.com/TAgs/att_iframe_sandbox.asp
Then iframe
will no longer be able to redirect parent. 然后
iframe
将无法再重定向父级。
What may be happening is a link inside b.com has the attribute Target='_parent'. 可能发生的事情是b.com中的链接具有属性Target ='_ parent'。 This would make the window/iframe parent update.
这将使window / iframe父更新。
If you control b.com - ensure all your targets are _self. 如果您控制b.com - 确保您的所有目标都是_self。
that's called 'frame busting'. 这被称为“框架破坏”。 Supposedly there are techniques to stop that ( http://seclab.stanford.edu/websec/framebusting/index.php ).
据说有技术可以阻止这种情况( http://seclab.stanford.edu/websec/framebusting/index.php )。
Maybe instead of an iframe you could use ajax or similar to load the frame's content into your page? 也许你可以使用ajax或者类似的方式将框架的内容加载到你的页面中而不是iframe?
An ajax solution could work if I create a.com/proxy.php
which will use cURL to fetch b.com. 如果我创建一个将使用cURL来获取b.com的
a.com/proxy.php
,那么ajax解决方案可以工作。
Pros: 优点:
Cons: 缺点:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.