akoonu Marketing

Iframe Breaking: Bi o ṣe le Duro Iframing Laigba aṣẹ ti akoonu rẹ

Alejo si aaye mi ni ẹẹkan sọ fun mi nigbati o tẹ ọkan ninu awọn ọna asopọ mi lori twitter; o ti mu wa si aaye mi pẹlu agbejade nla ati ikilọ koodu irira kan. Iyẹn ti to lati dẹruba hekki jade ti ẹnikan, nitorinaa Mo bẹrẹ ṣiṣe diẹ ninu awọn idanwo. Ko si ohun ti ko tọ si pẹlu aaye mi - iṣoro naa ni ọna asopọ.

Ọna asopọ lori aaye miiran ṣe agbejade ọpa irinṣẹ oke ti o gba eniyan niyanju lati tẹ ọna asopọ irira kan lakoko ti o n ṣajọpọ aaye mi ni iframe labẹ. Si ọpọlọpọ eniyan, aaye mi le dabi ẹni pe o ntan koodu irira. Emi yoo ko sọ Mo fẹ eyikeyi ojula ti o èyà mi Aaye laarin ohun iframe, ki Mo ti ṣe ohun ti eyikeyi reasonable giigi yoo ṣe… Mo ti kojọpọ soke a fireemu fifọ.

Iframing aaye rẹ kii ṣe irira nigbagbogbo, botilẹjẹpe. Laipẹ a pin ọpa kan, Sniply, lati ṣafikun ipe-si-iṣẹ (CTA) si ọna asopọ oju opo wẹẹbu eyikeyi ti o pin. O ṣe eyi nipa fifi gbogbo aaye rẹ sinu iframe ati lilo div lori akoonu rẹ pẹlu ipe-si-iṣẹ.

Ṣugbọn Mo ṣe pataki pupọ nipa akoonu mi ati igbiyanju ti Mo ti fi sii Martech Zone, nitorina Emi ko fẹ ki ẹnikẹni ṣe iframe akoonu mi, paapaa pẹlu ipilẹ ọna asopọ-pin. Ni ṣiṣe diẹ ninu awọn iwadii, awọn ọna pupọ wa lati mu eyi.

Bii o ṣe le Duro Iframing akoonu rẹ Pẹlu JavaScript

Koodu JavaScript yii ṣayẹwo boya window ti o wa lọwọlọwọ (self) kii ṣe window ti o ga julọ (top). Ti kii ba ṣe bẹ, eyi tumọ si pe oju-iwe naa wa ninu fireemu kan, iframe, tabi iru, ati pe iwe afọwọkọ naa ṣe atunṣe window ti o ga julọ si URL ti isiyi window. Eleyi fe ni fi opin si jade ti iframe.

<script type='text/javascript'>
if (top !== self) top.location.href = self.location.href;
</script>

Awọn abawọn pupọ wa si ọna yii:

  1. Gbẹkẹle JavaScript: Ti olumulo ba ni JavaScript alaabo, ọna yii kii yoo ṣiṣẹ.
  2. Awọn idaduro: Idaduro diẹ le wa ṣaaju ṣiṣe JavaScript, lakoko eyiti ẹya ti aaye rẹ ti o ni fireemu tun le han.
  3. Cross-Oti Awọn ihamọ: Ni awọn ipo kan, Ilana Ipilẹ Kanna le ṣe idiwọ iwe afọwọkọ yii lati ṣiṣẹ bi a ti pinnu. Ti iwe obi ba wa lori aaye ti o yatọ, o le ma ni anfani lati wọle si top.location.href.
  4. O pọju fun fireemu-Busting-Busters: Awọn iwe afọwọkọ tun wa (ti a npe ni fireemu-busting-busters) ti o le ṣe idiwọ awọn iwe afọwọkọ-busting lati ṣiṣẹ.

Ọna to dara julọ ni lati lo awọn akọle esi HTTP.

Awọn aṣayan-fireemu-X ati Ilana-Aabo-Akoonu

mejeeji X-Frame-Options ati Content-Security-Policy (CSP) jẹ awọn akọle idahun HTTP ti a lo lati jẹki aabo oju opo wẹẹbu kan. Ọkọọkan wọn sin awọn idi oriṣiriṣi oriṣiriṣi ati ni awọn ipele irọrun ti o yatọ.

X-Frame-Options jẹ akọsori HTTP agbalagba ti a ṣe ni pataki lati ṣakoso boya aaye rẹ le wa ni ifibọ sinu a <frame>, <iframe>, <embed>, tabi <object> lori aaye miiran. O ni awọn itọsọna ti o ṣeeṣe mẹta:

  1. DENY – Oju-iwe ko le ṣe afihan ni fireemu kan, laibikita aaye ti n gbiyanju lati ṣe bẹ.
  2. SAMEORIGIN - Oju-iwe naa le ṣe afihan nikan ni fireemu kan lori ipilẹṣẹ kanna bi oju-iwe funrararẹ.
  3. ALLOW-FROM uri - Oju-iwe naa le ṣe afihan nikan ni fireemu kan lori ipilẹṣẹ ti a sọ.

sibẹsibẹ, X-Frame-Options ni opin ni pe ko le mu awọn oju iṣẹlẹ ti o ni idiju diẹ sii, bii gbigba fireemu lati awọn orisun oriṣiriṣi lọpọlọpọ tabi lilo awọn kaadi igbẹ fun awọn subdomains. Kii ṣe gbogbo awọn aṣawakiri ṣe atilẹyin fun ALLOW-FROM itọnisọna.

Content-Security-Policy, ni ida keji, ni irọrun pupọ ati akọsori HTTP ti o lagbara. Nigba ti o le ṣe ohun gbogbo X-Frame-Options le ṣe ati pupọ diẹ sii, idi akọkọ rẹ ni lati yago fun ọpọlọpọ awọn ikọlu abẹrẹ koodu, pẹlu iwe afọwọkọ aaye-agbelebu (XSS) ati clickjacking. O ṣiṣẹ nipa sisọ akojọ funfun ti awọn orisun ti o ni igbẹkẹle ti akoonu (awọn iwe afọwọkọ, awọn aza, awọn aworan, ati bẹbẹ lọ).

Fun iṣakoso awọn fireemu, CSP nlo awọn frame-ancestors itọnisọna. O le pato awọn orisun pupọ, pẹlu awọn ibugbe pupọ ati awọn subdomains wildcard. Eyi ni apẹẹrẹ:

cssCopy codeContent-Security-Policy: frame-ancestors 'self' yourdomain.com *.domain2.com;

Eyi yoo gba oju-iwe laaye lati ṣe apẹrẹ lori aaye tirẹ ('self'), lori yourdomain.com, ati lori eyikeyi subdomain ti domain2.com.

CSP ti wa ni iṣeduro bi aropo fun X-Frame-Options, niwon o le mu ohun gbogbo X-Frame-Options le ṣe, ati pupọ diẹ sii. Lakoko ti ọpọlọpọ awọn aṣawakiri ode oni ṣe atilẹyin CSP, o le tun jẹ diẹ ninu awọn aṣawakiri atijọ tabi ti ko wọpọ ti ko ṣe atilẹyin ni kikun.

Bi o ṣe le Duro Iframing akoonu rẹ Pẹlu HTML

Bayi aami-aabo-Aabo-Akoonu meta tag wa ti o le wa ni ransogun ti o mu agbara lati iframe akoonu rẹ:

<meta http-equiv="Content-Security-Policy" content="frame-ancestors 'self' yourdomain.com">

Imudara ti tag meta HTML jẹ opin nitori kii ṣe gbogbo awọn aṣawakiri ṣe bọwọ fun Content-Security-Policy nigbati o ba ṣeto nipa lilo tag meta.

Bii o ṣe le Duro Iframing akoonu rẹ Pẹlu Awọn akọle HTTP

O dara lati lo awọn akọle HTTP X-Frame-Options or Content-Security-Policy lati ṣakoso awọn fireemu. Awọn aṣayan wọnyi jẹ igbẹkẹle diẹ sii, ati aabo, ati ṣiṣẹ paapaa ti JavaScript jẹ alaabo. Ọna JavaScript yẹ ki o lo nikan bi ibi-afẹde ti o kẹhin ti o ko ba ni iṣakoso lori olupin lati ṣeto awọn akọle HTTP. Fun apẹẹrẹ kọọkan, rọpo yourdomain.com pẹlu rẹ gangan ašẹ.

afun - Ṣe atunṣe rẹ .htaccess faili bi wọnyi:

Header always set X-Frame-Options SAMEORIGIN
Header always set Content-Security-Policy "frame-ancestors 'self' yourdomain.com"

Nginx - Ṣe atunṣe bulọọki olupin rẹ bi atẹle:

add_header X-Frame-Options SAMEORIGIN;
add_header Content-Security-Policy "frame-ancestors 'self' yourdomain.com";

IIS – ṣe eyi nipa fifi awọn wọnyi kun si rẹ web.config faili:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="Content-Security-Policy" value="frame-ancestors 'self' yourdomain.com" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

WordPress - ṣe eyi nipa fifi koodu yii kun si faili awọn iṣẹ.php rẹ:

function add_security_headers() {
  header('X-Frame-Options: SAMEORIGIN');
  header("Content-Security-Policy: frame-ancestors 'self' yourdomain.com");
}
add_action('send_headers', 'add_security_headers');

Awọn atunto wọnyi yoo gba oju-iwe rẹ laaye lati wa ni ifibọ laarin iframes lori aaye gangan ti o pato, kii ṣe lori eyikeyi awọn subdomains agbegbe. Ti o ba fẹ gba awọn subdomains kan laaye, iwọ yoo ni lati ṣe atokọ wọn ni gbangba, bii subdomain1.yourdomain.com subdomain2.yourdomain.com, ati bẹbẹ lọ.

Gba Iframu laaye Akoonu rẹ Lati Awọn ibugbe pupọ

O le pato awọn ibugbe pupọ pẹlu akọsori esi HTTP Akoonu-Aabo-Afihan ati itọsọna fireemu-awọn baba. A aaye yẹ ki o ya kọọkan ìkápá. Eyi ni apẹẹrẹ:

Content-Security-Policy: frame-ancestors 'self' domain1.com domain2.com domain3.com;

afun - Ṣe atunṣe rẹ .htaccess faili bi wọnyi:

Header always set X-Frame-Options SAMEORIGINHeader always set Content-Security-Policy "frame-ancestors 'self' domain1.com domain2.com domain3.com"

Nginx - Ṣe atunṣe bulọọki olupin rẹ bi atẹle:

add_header X-Frame-Options SAMEORIGIN;add_header Content-Security-Policy "frame-ancestors 'self' domain1.com domain2.com domain3.com";

IIS – ṣe eyi nipa fifi awọn wọnyi kun si rẹ web.config faili:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="SAMEORIGIN" />
      <add name="Content-Security-Policy" value="frame-ancestors 'self' domain1.com domain2.com domain3.com" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

Gba Iframu laaye Akoonu rẹ Lati Aṣẹ Kaadi Wild kan

O tun le pato kan wildcard fun gbogbo subdomains pẹlu awọn Content-Security-Policy Akọsori esi HTTP ati itọsọna fireemu-awọn baba. Eyi ni awọn apẹẹrẹ ti awọn Content-Security-Policy koodu ti o nilo lati ni imudojuiwọn:

Content-Security-Policy: frame-ancestors 'self' *.yourdomain.com;

afun - Ṣe atunṣe rẹ .htaccess faili bi wọnyi:

Header always set Content-Security-Policy "frame-ancestors 'self' *.yourdomain.com"

Nginx - Ṣe atunṣe bulọọki olupin rẹ bi atẹle:

add_header Content-Security-Policy "frame-ancestors 'self' *.domain1.com *.domain2.com *.domain3.com";

IIS – ṣe eyi nipa fifi awọn wọnyi kun si rẹ web.config faili:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="Content-Security-Policy" value="frame-ancestors 'self' *.yourdomain.com" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

Douglas Karr

Douglas Karr jẹ CMO ti Ṣii awọn oye ati oludasile ti Martech Zone. Douglas ti ṣe iranlọwọ fun awọn dosinni ti awọn ibẹrẹ MarTech aṣeyọri, ti ṣe iranlọwọ ni aisimi ti o ju $ 5 bilionu ni awọn ohun-ini Martech ati awọn idoko-owo, ati tẹsiwaju lati ṣe iranlọwọ fun awọn ile-iṣẹ ni imuse ati adaṣe awọn tita ati awọn ilana titaja wọn. Douglas jẹ iyipada oni nọmba agbaye ti a mọye ati alamọja MarTech ati agbọrọsọ. Douglas tun jẹ onkọwe ti a tẹjade ti itọsọna Dummie ati iwe itọsọna iṣowo kan.

Ìwé jẹmọ

Pada si bọtini oke
Close

Ti ṣe awari Adblock

Martech Zone ni anfani lati pese akoonu yii fun ọ laisi idiyele nitori a ṣe monetize aaye wa nipasẹ wiwọle ipolowo, awọn ọna asopọ alafaramo, ati awọn onigbọwọ. A yoo ni riri ti o ba yọ ohun idena ipolowo rẹ bi o ṣe nwo aaye wa.