推荐的方法,以防止iframe中的任何内容设置Cookie [英] Recommended method to prevent any content inside iframe from setting cookies
问题描述
我从不信任的来源获取要放置在iframe中的内容。对于需要满足的特定需求,我希望内容(可能包括javascript)根本无法设置cookie。推荐的实现方法是什么?
I get the content to be put inside an iframe from a source I do not trust. For a particular need to be met, I want the content (which might include javascript) to be unable to set cookies at all. What is the recommended method to achieve that?
编辑:我认识到这类似于此问题。我早些时候应该提到过,但是iframe具有跨来源的来源。我想从内部设置Cookie来禁用内容,即使是在其自身的源上也是如此。沙箱能否达到目标?谢谢。
I recognize this is similar to this question. I should have mentioned this earlier, but the iframe has a cross-origin source. I want to disable the content inside from setting cookies even on its own source. Does sandboxing achieve that? Thanks.
推荐答案
简短答案:
HTML5 沙盒属性防止iframe读取/写入Cookie 。
allow-scripts 属性可以启用JavaScript,但跨域和跨域iframe都是如此。不会干扰对Cookie的限制。
The allow-scripts attribute enables JavaScript but does not interfere with restrictions on cookies.
<iframe sandbox="allow-scripts" src="..."></iframe>
因此,如果您不完全相信,那么这个适合您...
根据 W3C工作草案(2010年)和 W3C建议(2014年),当用户代理(浏览器)解析 sandbox 属性时,它必须添加某些标志,然后用于限制iframe中的内容。这些标志之一用于强制内容成为唯一的源,并阻止其读取/写入Cookie:
According to the W3C Working Draft (2010) and W3C Recommendation (2014), when the user agent (browser) parses the sandbox attribute, it has to add certain flags, which are then used to put restrictions on the content within the iframe. One of those flags are meant to force the content into a unique origin, and prevent it from reading/writing cookies:
<$ c如果指定了$ c> sandbox 属性,则对
iframe托管的任何内容启用一组额外的限制。
The
sandboxattribute, when specified, enables a set of extra restrictions on any content hosted by theiframe.
指定了sandbox属性时,iframe元素的嵌套浏览上下文必须具有以下列表集中给出的标志。
While the sandbox attribute is specified, the iframe element's nested browsing context must have the flags given in the following list set.
...
...
沙盒来源浏览上下文标记,除非沙盒当在空格上分割属性值时,发现它设置了allow-same-origin关键字
The sandboxed origin browsing context flag, unless the sandbox attribute's value, when split on spaces, is found to have the allow-same-origin keyword set
此标志将内容强制为唯一来源,从而阻止其访问相同来源的其他内容。
This flag forces content into a unique origin, thus preventing it from accessing other content from the same origin.
此标志还防止脚本读取或写入document.cookie IDL属性,并阻止访问localStorage。 [WEBSTORAGE]
This flag also prevents script from reading from or writing to the document.cookie IDL attribute, and blocks access to localStorage. [WEBSTORAGE]
当沙盒iframe尝试编写Cookie时,会引发以下异常:
When a sandboxed iframe attempts to write a cookie, the following exception is raised:
未捕获的DOMException:无法在'Document'上设置'cookie'属性:该文档已被沙箱化,缺少'allow-same-origin'标志。
Uncaught DOMException: Failed to set the 'cookie' property on 'Document': The document is sandboxed and lacks the 'allow-same-origin' flag.
并且永远不会写入cookie。
and no cookie is ever written.
由于被沙盒化的iframe根本无法编写Cookie,因此即使在其原始网站上也无法设置Cookie。
(实际上,这将是使用 allow-same-origin c>关键字的用例之一)。
Since the sandboxed iframe cannot write cookies at all, it will not be able to set cookies even on its originating site.
(In fact, this would be one of the use-cases for using the allow-same-origin keyword).
allow-same-origin属性用于两种情况。
The allow-same-origin attribute is intended for two cases.
...
其次,它可以用于嵌入第三方网站的内容,对其进行沙盒化以防止该网站打开弹出窗口等,而又不会阻止嵌入的页面传达回其原始网站,使用数据库API存储数据等。
Second, it can be used to embed content from a third-party site, sandboxed to prevent that site from opening popup windows, etc, without preventing the embedded page from communicating back to its originating site, using the database APIs to store data, etc.
这篇关于推荐的方法,以防止iframe中的任何内容设置Cookie的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
