Iframe Breaking: Bi o ṣe le Duro Iframing Laigba aṣẹ ti akoonu rẹ
Alejo si aaye mi ni ẹẹkan sọ fun mi nigbati o tẹ ọkan ninu awọn ọna asopọ mi lori twitter; o ti mu wa si aaye mi pẹlu agbejade nla ati ikilọ koodu irira kan. Iyẹn ti to lati dẹruba hekki jade ti ẹnikan, nitorinaa Mo bẹrẹ ṣiṣe diẹ ninu awọn idanwo. Ko si ohun ti ko tọ si pẹlu aaye mi - iṣoro naa ni ọna asopọ.
Ọna asopọ lori aaye miiran ṣe agbejade ọpa irinṣẹ oke ti o gba eniyan niyanju lati tẹ ọna asopọ irira kan lakoko ti o n ṣajọpọ aaye mi ni iframe labẹ. Si ọpọlọpọ eniyan, aaye mi le dabi ẹni pe o ntan koodu irira. Emi yoo ko sọ Mo fẹ eyikeyi ojula ti o èyà mi Aaye laarin ohun iframe, ki Mo ti ṣe ohun ti eyikeyi reasonable giigi yoo ṣe… Mo ti kojọpọ soke a fireemu fifọ.
Iframing aaye rẹ kii ṣe irira nigbagbogbo, botilẹjẹpe. Laipẹ a pin ọpa kan, Sniply, lati ṣafikun ipe-si-iṣẹ (CTA) si ọna asopọ oju opo wẹẹbu eyikeyi ti o pin. O ṣe eyi nipa fifi gbogbo aaye rẹ sinu iframe ati lilo div lori akoonu rẹ pẹlu ipe-si-iṣẹ.
Ṣugbọn Mo ṣe pataki pupọ nipa akoonu mi ati igbiyanju ti Mo ti fi sii Martech Zone, nitorina Emi ko fẹ ki ẹnikẹni ṣe iframe akoonu mi, paapaa pẹlu ipilẹ ọna asopọ-pin. Ni ṣiṣe diẹ ninu awọn iwadii, awọn ọna pupọ wa lati mu eyi.
Bii o ṣe le Duro Iframing akoonu rẹ Pẹlu JavaScript
Koodu JavaScript yii ṣayẹwo boya window ti o wa lọwọlọwọ (self
) kii ṣe window ti o ga julọ (top
). Ti kii ba ṣe bẹ, eyi tumọ si pe oju-iwe naa wa ninu fireemu kan, iframe, tabi iru, ati pe iwe afọwọkọ naa ṣe atunṣe window ti o ga julọ si URL ti isiyi window. Eleyi fe ni fi opin si jade ti iframe.
<script type='text/javascript'>
if (top !== self) top.location.href = self.location.href;
</script>
Awọn abawọn pupọ wa si ọna yii:
- Gbẹkẹle JavaScript: Ti olumulo ba ni JavaScript alaabo, ọna yii kii yoo ṣiṣẹ.
- Awọn idaduro: Idaduro diẹ le wa ṣaaju ṣiṣe JavaScript, lakoko eyiti ẹya ti aaye rẹ ti o ni fireemu tun le han.
- Cross-Oti Awọn ihamọ: Ni awọn ipo kan, Ilana Ipilẹ Kanna le ṣe idiwọ iwe afọwọkọ yii lati ṣiṣẹ bi a ti pinnu. Ti iwe obi ba wa lori aaye ti o yatọ, o le ma ni anfani lati wọle si
top.location.href
. - O pọju fun fireemu-Busting-Busters: Awọn iwe afọwọkọ tun wa (ti a npe ni fireemu-busting-busters) ti o le ṣe idiwọ awọn iwe afọwọkọ-busting lati ṣiṣẹ.
Ọna to dara julọ ni lati lo awọn akọle esi HTTP.
Awọn aṣayan-fireemu-X ati Ilana-Aabo-Akoonu
mejeeji X-Frame-Options
ati Content-Security-Policy
(CSP) jẹ awọn akọle idahun HTTP ti a lo lati jẹki aabo oju opo wẹẹbu kan. Ọkọọkan wọn sin awọn idi oriṣiriṣi oriṣiriṣi ati ni awọn ipele irọrun ti o yatọ.
X-Frame-Options
jẹ akọsori HTTP agbalagba ti a ṣe ni pataki lati ṣakoso boya aaye rẹ le wa ni ifibọ sinu a <frame>
, <iframe>
, <embed>
, tabi <object>
lori aaye miiran. O ni awọn itọsọna ti o ṣeeṣe mẹta:
DENY
– Oju-iwe ko le ṣe afihan ni fireemu kan, laibikita aaye ti n gbiyanju lati ṣe bẹ.SAMEORIGIN
- Oju-iwe naa le ṣe afihan nikan ni fireemu kan lori ipilẹṣẹ kanna bi oju-iwe funrararẹ.ALLOW-FROM uri
- Oju-iwe naa le ṣe afihan nikan ni fireemu kan lori ipilẹṣẹ ti a sọ.
sibẹsibẹ, X-Frame-Options
ni opin ni pe ko le mu awọn oju iṣẹlẹ ti o ni idiju diẹ sii, bii gbigba fireemu lati awọn orisun oriṣiriṣi lọpọlọpọ tabi lilo awọn kaadi igbẹ fun awọn subdomains. Kii ṣe gbogbo awọn aṣawakiri ṣe atilẹyin fun ALLOW-FROM
itọnisọna.
Content-Security-Policy
, ni ida keji, ni irọrun pupọ ati akọsori HTTP ti o lagbara. Nigba ti o le ṣe ohun gbogbo X-Frame-Options
le ṣe ati pupọ diẹ sii, idi akọkọ rẹ ni lati yago fun ọpọlọpọ awọn ikọlu abẹrẹ koodu, pẹlu iwe afọwọkọ aaye-agbelebu (XSS) ati clickjacking. O ṣiṣẹ nipa sisọ akojọ funfun ti awọn orisun ti o ni igbẹkẹle ti akoonu (awọn iwe afọwọkọ, awọn aza, awọn aworan, ati bẹbẹ lọ).
Fun iṣakoso awọn fireemu, CSP nlo awọn frame-ancestors
itọnisọna. O le pato awọn orisun pupọ, pẹlu awọn ibugbe pupọ ati awọn subdomains wildcard. Eyi ni apẹẹrẹ:
cssCopy codeContent-Security-Policy: frame-ancestors 'self' yourdomain.com *.domain2.com;
Eyi yoo gba oju-iwe laaye lati ṣe apẹrẹ lori aaye tirẹ ('self'
), lori yourdomain.com
, ati lori eyikeyi subdomain ti domain2.com
.
CSP ti wa ni iṣeduro bi aropo fun X-Frame-Options
, niwon o le mu ohun gbogbo X-Frame-Options
le ṣe, ati pupọ diẹ sii. Lakoko ti ọpọlọpọ awọn aṣawakiri ode oni ṣe atilẹyin CSP, o le tun jẹ diẹ ninu awọn aṣawakiri atijọ tabi ti ko wọpọ ti ko ṣe atilẹyin ni kikun.
Bi o ṣe le Duro Iframing akoonu rẹ Pẹlu HTML
Bayi aami-aabo-Aabo-Akoonu meta tag wa ti o le wa ni ransogun ti o mu agbara lati iframe akoonu rẹ:
<meta http-equiv="Content-Security-Policy" content="frame-ancestors 'self' yourdomain.com">
Imudara ti tag meta HTML jẹ opin nitori kii ṣe gbogbo awọn aṣawakiri ṣe bọwọ fun Content-Security-Policy
nigbati o ba ṣeto nipa lilo tag meta.
Bii o ṣe le Duro Iframing akoonu rẹ Pẹlu Awọn akọle HTTP
O dara lati lo awọn akọle HTTP X-Frame-Options
or Content-Security-Policy
lati ṣakoso awọn fireemu. Awọn aṣayan wọnyi jẹ igbẹkẹle diẹ sii, ati aabo, ati ṣiṣẹ paapaa ti JavaScript jẹ alaabo. Ọna JavaScript yẹ ki o lo nikan bi ibi-afẹde ti o kẹhin ti o ko ba ni iṣakoso lori olupin lati ṣeto awọn akọle HTTP. Fun apẹẹrẹ kọọkan, rọpo yourdomain.com
pẹlu rẹ gangan ašẹ.
afun - Ṣe atunṣe rẹ .htaccess
faili bi wọnyi:
Header always set X-Frame-Options SAMEORIGIN
Header always set Content-Security-Policy "frame-ancestors 'self' yourdomain.com"
Nginx - Ṣe atunṣe bulọọki olupin rẹ bi atẹle:
add_header X-Frame-Options SAMEORIGIN;
add_header Content-Security-Policy "frame-ancestors 'self' yourdomain.com";
IIS – ṣe eyi nipa fifi awọn wọnyi kun si rẹ web.config
faili:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="frame-ancestors 'self' yourdomain.com" />
</customHeaders>
</httpProtocol>
</system.webServer>
WordPress - ṣe eyi nipa fifi koodu yii kun si faili awọn iṣẹ.php rẹ:
function add_security_headers() {
header('X-Frame-Options: SAMEORIGIN');
header("Content-Security-Policy: frame-ancestors 'self' yourdomain.com");
}
add_action('send_headers', 'add_security_headers');
Awọn atunto wọnyi yoo gba oju-iwe rẹ laaye lati wa ni ifibọ laarin iframes lori aaye gangan ti o pato, kii ṣe lori eyikeyi awọn subdomains agbegbe. Ti o ba fẹ gba awọn subdomains kan laaye, iwọ yoo ni lati ṣe atokọ wọn ni gbangba, bii subdomain1.yourdomain.com
subdomain2.yourdomain.com
, ati bẹbẹ lọ.
Gba Iframu laaye Akoonu rẹ Lati Awọn ibugbe pupọ
O le pato awọn ibugbe pupọ pẹlu akọsori esi HTTP Akoonu-Aabo-Afihan ati itọsọna fireemu-awọn baba. A aaye yẹ ki o ya kọọkan ìkápá. Eyi ni apẹẹrẹ:
Content-Security-Policy: frame-ancestors 'self' domain1.com domain2.com domain3.com;
afun - Ṣe atunṣe rẹ .htaccess
faili bi wọnyi:
Header always set X-Frame-Options SAMEORIGIN
Header always set Content-Security-Policy "frame-ancestors 'self' domain1.com domain2.com domain3.com"
Nginx - Ṣe atunṣe bulọọki olupin rẹ bi atẹle:
add_header X-Frame-Options SAMEORIGIN;
add_header Content-Security-Policy "frame-ancestors 'self' domain1.com domain2.com domain3.com";
IIS – ṣe eyi nipa fifi awọn wọnyi kun si rẹ web.config
faili:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
<add name="Content-Security-Policy" value="frame-ancestors 'self' domain1.com domain2.com domain3.com" />
</customHeaders>
</httpProtocol>
</system.webServer>
Gba Iframu laaye Akoonu rẹ Lati Aṣẹ Kaadi Wild kan
O tun le pato kan wildcard fun gbogbo subdomains pẹlu awọn Content-Security-Policy
Akọsori esi HTTP ati itọsọna fireemu-awọn baba. Eyi ni awọn apẹẹrẹ ti awọn Content-Security-Policy
koodu ti o nilo lati ni imudojuiwọn:
Content-Security-Policy: frame-ancestors 'self' *.yourdomain.com;
afun - Ṣe atunṣe rẹ .htaccess
faili bi wọnyi:
Header always set Content-Security-Policy "frame-ancestors 'self' *.yourdomain.com"
Nginx - Ṣe atunṣe bulọọki olupin rẹ bi atẹle:
add_header Content-Security-Policy "frame-ancestors 'self' *.domain1.com *.domain2.com *.domain3.com";
IIS – ṣe eyi nipa fifi awọn wọnyi kun si rẹ web.config
faili:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="frame-ancestors 'self' *.yourdomain.com" />
</customHeaders>
</httpProtocol>
</system.webServer>