HTML5 iframe:阻止远程请求 [英] HTML5 Iframe: Block remote requests
问题描述
我正在使用srcdoc属性将HTML内容加载到iframe中.该iframe是未授予权限的沙盒iframe,因此该iframe中的所有Javascript均被阻止.但是,远程请求(例如CSS,图像等)仍会在iframe中触发.
I am loading HTML content into an iframe using the srcdoc property. The iframe is a sandboxed iframe with no permissions given, so all Javascript in the iframe is blocked. However, remote requests (such as for CSS, images etc.) will still be triggered inside the iframe.
有没有办法告诉iframe仅加载srcdoc属性中提供的内容,而不发出任何其他请求?
Is there any possible way to tell the iframe to only load what I give it in the srcdoc property and not make any additional requests?
预先感谢
推荐答案
基础知识
大概不是,因为对iframe进行沙箱处理是为了避免在主文档和iframe文档之间共享敏感数据或限制潜在的破坏性行为.
The basics
Presumably no because sandboxing the iframe is meant to avoid sharing sensitive data between your main document and your iframe's document or limiting potentially disruptive behavior.
从功能上来说,iframe仍然是浏览器窗口,它将像这样运行,加载在其中声明的所有外部资源,唯一的区别是它显示在另一个文档而不是另一个窗口中.
The iframe is still functionally a browser window and will act like such, loading all external resources that are declared in it, with the only difference that it displays within another document rather than another window.
如果srcdoc
中的代码调用了远程资源,则浏览器将通过加载它们来完全按照您的指示进行操作.
If the code present inside srcdoc
has calls to remote resources, then the browser is doing exactly what you are telling it to do by loading them.
如果您不希望加载这些资源,则必须使用srcdoc
代码对其进行编辑.
If you don't want these resources to be loaded, you will have to edit them out of the srcdoc
code.
话虽这么说,可能存在一种通过使用meta
标签从iframe文档中使用Content Security Policy
阻止资源加载的方法:
That being said, there might exist a way to block the loading of resources by using a Content Security Policy
from within the iframe's document using a meta
tag:
<meta http-equiv="Content-Security-Policy" content="default-src 'none';">
或
<meta http-equiv="X-Content-Security-Policy" content="default-src 'none';">
我确实在 Firefox 39.0.3 下尝试了此操作,但由于以下原因,它无法正常工作:
I did try this under Firefox 39.0.3 but it didn't work, likely because of the following:
无论如何,有关更多信息,请参见:
Regardless, for more information, see:
-
Moli开发人员网络上的
- CSP(内容安全政策)
- 内容安全策略参考
- CSP (Content Security Policy) on the Mozilla Developer Network
- Content Security Policy Reference
这篇关于HTML5 iframe:阻止远程请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!