防止iframe更改父位置
[英]prevent iframe from changing parent location
问题描述
Suppose http://a.com/foo contains <iframe src="http://b.com/bar"> 
假设http://a.com/foo包含<iframe src="http://b.com/bar">
Sometimes b.com/bar will break out of its frame: the top-level window will redirect away from a.com/foo into b.com/bar. 有时b.com/bar会突破其框架:顶级窗口将从aff重定向到b.com/bar。 I don't know how b.com is doing this. 我不知道b.com是如何做到这一点的。
I thought it wasn't possible for a cross-domain iframe to interfere with the parent unless the parent cooperates via postMessage. 我认为跨域iframe不可能干扰父级,除非父级通过postMessage进行合作。 Is changing the window location exempt from this? 是否正在更改窗口位置?
If that is what's happening, how can a.com prevent this redirect? 如果发生了这种情况,a.com如何阻止这种重定向? I control a.com but cannot modify b.com. 我控制a.com但无法修改b.com。
If that's not what's happening, how can I find out what b.com is doing to achieve the redirect? 如果这不是正在发生的事情,我怎样才能找出b.com正在做什么来实现重定向?
It would be acceptable to force b.com to load itself into a new window, or sabotage its access to the top or parent objects. 强制b.com将自身加载到新窗口,或破坏其对top或parent对象的访问是可以接受的。 Other degradations of b.com's behaviour may be acceptable. b.com行为的其他降级可能是可以接受的。
4 个解决方案
解决方案1
1 已采纳 2017-02-01 23:56:11
Parent can use sandbox attribute on iframe : 父可以在iframe上使用sandbox属性:
http://www.w3schools.com/TAgs/att_iframe_sandbox.asp http://www.w3schools.com/TAgs/att_iframe_sandbox.asp
Then iframe will no longer be able to redirect parent. 然后iframe将无法再重定向父级。
解决方案2
0 2012-03-30 16:39:32
What may be happening is a link inside b.com has the attribute Target='_parent'. 可能发生的事情是b.com中的链接具有属性Target ='_ parent'。 This would make the window/iframe parent update. 这将使window / iframe父更新。
If you control b.com - ensure all your targets are _self. 如果您控制b.com - 确保您的所有目标都是_self。
解决方案3
0 2012-03-30 16:46:12
that's called 'frame busting'. 这被称为“框架破坏”。 Supposedly there are techniques to stop that ( http://seclab.stanford.edu/websec/framebusting/index.php ). 据说有技术可以阻止这种情况( http://seclab.stanford.edu/websec/framebusting/index.php )。
Maybe instead of an iframe you could use ajax or similar to load the frame's content into your page? 也许你可以使用ajax或者类似的方式将框架的内容加载到你的页面中而不是iframe?
解决方案4
0 2012-03-30 17:06:40
An ajax solution could work if I create a.com/proxy.php which will use cURL to fetch b.com. 如果我创建一个将使用cURL来获取b.com的a.com/proxy.php ,那么ajax解决方案可以工作。
Pros: 优点:
- can change or remove any script 可以更改或删除任何脚本
- can adjust b.com content (preview mode) 可以调整b.com内容(预览模式)
- can get around cross-domain iframe restrictions 可以绕过跨域iframe限制
Cons: 缺点:
- cookies/sessions on b.com won't be available b.com上的cookies / sessions将无法使用
- b.com may require scripts to create its content b.com可能需要脚本来创建其内容
- burden of bandwidth 带宽负担
- coding effort to make hrefs work 编写努力使href工作
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.