是否可以阻止远程脚本加载到iframe中? [英] Is it possible to block remote scripts from loading inside iframe?
问题描述
我正在动态创建iframe,并且我想阻止不是源于iframe的脚本.这甚至有可能(通过JavaScript/jQuery)吗?例如,如果我的页面从example.com加载了一个内联框架,其内容为:
I am creating iframes dynamically and I want to prevent scripts that don't originate from the iframes' origin. Is this even possible (via JavaScript/jQuery)? For example, if my page loads an iframe from example.com with the contents:
<script src="http://example.com/foo.js"></script>
<script src="http://something-else.com/bar.js"></script>
我希望运行example.com脚本,但是我希望something-else.com脚本被阻止而不运行.
I want the example.com script to run, but I want the something-else.com script to be blocked and not run.
我正在使用 NW.js (以前称为Node-Webkit),所以我对iframe的内容具有完全的读写访问权限,就像它们是同源的一样.
I am using NW.js (formerly Node-Webkit), so I have full read-write access to the iframes' contents as if they were same-origin.
我尝试使用插件(例如那些将CORS引入图片并加入白名单的插件),但我尝试过的任何方法都没有用.
I've tried using plugins (like those that bring CORS in the picture, with whitelisting), but nothing I've tried is working.
一种理想的解决方案还可以让我将iframe的来源之外的其他特定来源列入白名单.
An ideal solution would also allow me to whitelist specific other origins in addition to the iframe's origin.
这是我正在尝试在以下浏览器中实现的浏览器项目: https://github.com/IdeasNeverCease/Aries
Here is my browser project I am trying to implement this in: https://github.com/IdeasNeverCease/Aries
Here is the section of code the iframe loading is done in: https://github.com/IdeasNeverCease/Aries/blob/master/app.nw/resources/scripts/aries.js#L376-L687
推荐答案
我想阻止不是源自iframe来源的脚本
I want to prevent scripts that don't originate from the iframes' source
这正是内容安全政策( CSP). CSP可以指定允许脚本,插件,样式,媒体等使用哪些起源.您需要使每个iframe都具有一个CSP,以防止在当前起源之外加载脚本.这可以通过简单的策略script-src 'self' 'unsafe-inline';(unsafe-inline允许iframe具有内联脚本,而self限制将加载限制为同源资源)来实现.
This is exactly what a Content Security Policy (CSP) is for. A CSP can specify which origins are permitted for scripts, plugins, styles, media, etc. You need to cause each the iframe to have a CSP that prevents script loads outside of the current origin; this can be done with the simple policy script-src 'self' 'unsafe-inline'; (the unsafe-inline allows the iframe to have inline scripts and the self restricts loads to the same-origin resources only)
传统上,您需要服务器在为页面提供服务时发送Content-Security-Policy响应标头.但是,如果您无法控制服务器发送的响应标头(但 do 可以控制页面内容),则可以使用<meta>标签来模仿HTTP响应标头,如下所示:/p>
Traditionally, you need the server to send the Content-Security-Policy response header when serving the page. However, if you don't have control over the server-sent response headers (but do have control over the page content) you can imitate an HTTP response header with a <meta> tag like so:
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
您可以通过程序注入(但请继续阅读以了解问题):
You can inject this programmatically (but read on for issues):
var m = document.createElement("meta");
m.httpEquiv = "content-security-policy";
m.content = "script-src 'self' 'unsafe-inline';";
iframeElem.contentDocument.documentElement.appendChild(m);
但是,这种基于脚本的注入可能对您不起作用,因为从HTML源中解析出DOM之后,您只能使用一个DOM.届时,任何(非async)<script>元素的脚本都将已经被获取并运行.您可能需要直接操作HTML,但是我对NW.js的了解还不足以告诉您执行此操作的最佳方法.
However, this script-based injection might not work for you, because you'll only have a DOM to work with after the DOM is parsed from the HTML source. At that time, and the scripts from any (non-async) <script> elements will already have been fetched and run. You may need to manipulate the HTML directly, but I don't know enough about NW.js to tell you the best way to do that.
如果要禁止所有外部脚本资源(甚至是来自同一来源的外部脚本资源),则可以使用script-src 'none' 'unsafe-inline';.要禁止所有脚本,包括已加载的脚本和内联脚本,请使用script-src 'none';
If you want to disallow all external script resources (even ones from the same origin), you can use script-src 'none' 'unsafe-inline';. To disallow all scripts, including loaded scripts and inline scripts, use script-src 'none';
为了将特定来源列入白名单,只需将它们作为CSP中未引用的项目添加:
In order to whitelist specific origins, simply add them as unquoted items in the CSP:
Content-Security-Policy: script-src 'self' *.twitter.com https://api.facebook.com
前导*.允许所有子域,而前导https://将该域的白名单限制为仅保护https://地址.
A leading *. allows all subdomains, and a leading https:// limits the whitelist for that domain to secure https:// addresses only.
这篇关于是否可以阻止远程脚本加载到iframe中?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
