X框选项SAMEORIGIN和点击劫持在ASP.NET [英] x-frame-option SAMEORIGIN and clickjacking in ASP.NET
问题描述
中的应用有问题与允许被装入iframe中。我读了很多关于它(和点击劫持)。
由于这是需要加载一个页面到的iframe withing相同的起源,我得出以下解决方案:
添加以下Global.asax文件
HttpContext.Current.Response.AddHeader(X帧选项,SAMEORIGIN)
不过,我知道,并不是所有的浏览器都支持这个头。所以,我想添加一些额外的JavaScript sollution。因为我不是在JavaScript专家,我已经找到了以下sollution:
<脚本>
如果(自顶==){
VAR汽车美容= document.getElementsByTagName('身体')[0]
theBody.style.display =块
}其他{
top.location = self.location
}
< / SCRIPT>
我知道,如果一个人想它非常多,不过,这使得一些额外的安全性也可能被阻止。
我的问题是 -
1)我不明白这个JavaScript code的(你可以给有关兴田逻辑一些评论)逻辑
2),如果这个工程SAMEORIGIN内(允许在同一页面中的iframe装载,但在其他的页面不ALLO)?
编辑:
我已经找到另一种方法,似乎很清楚,我,但我不知道这是否是更安全比上面:
<风格> HTML {visibility:hidden的}< /风格>
<脚本>
如果(自顶==){
document.documentElement.style.visibility ='可见';
}其他{
top.location = self.location;
}
< / SCRIPT>
自
是当前页面,如果它等于顶
这是最外面的框页面则逻辑是,它不是一个框架,使一切正常。如果不是,它集最外面的框的位置是当前页面( top.location = self.location;
)。这就是所谓的框架克星code,但也出现了一些出版了框架克星克星的脚本,在停止内容被陷害突破的尝试,所以记住,你的JavaScript可能并不总是工作。
X框选项
是要走的路,所以如果你补充说,那么你应该在现代浏览器中的安全,但你可以尝试的这个方法如果该网站试图停止工作的框架克星就会显示警告信息。
The application had problems with allowing to be loaded into iframe. I have read a lot about it (and clickjacking). As it is necessary to load a page into the iframe withing the same origin, I have come to the following solution:
Add the following to the global.asax file
HttpContext.Current.Response.AddHeader("x-frame-options", "SAMEORIGIN")
However, I know that not all browsers support this header. So, I want to add some additional javascript sollution. As I am not expert in javascript, I have found the following sollution:
<script>
if (self == top) {
var theBody = document.getElementsByTagName('body')[0]
theBody.style.display = "block"
} else {
top.location = self.location
}
</script>
I know that it could be blocked if the one wants it very much, however, this makes some extra security.
My question is - 1) I do not understand the logic of this javascript code (can you give some comments about hte logic) 2) and if this works within SAMEORIGIN (allow iframe loading in the same page, but doesn't allo on other pages)?
edit:
I have found another approach that seems clear to me, however, I am not sure if this is more secure than above:
<style>html { visibility : hidden }</style>
<script>
if (self == top ) {
document.documentElement.style.visibility = 'visible';
} else {
top.location = self.location;
}
</script>
self
is the current page, and if it is equal to top
which is the outermost framed page then the logic is that it isn't in a frame so everything is OK. If not, it sets the location of the outermost frame to be the current page (top.location = self.location;
). This is known as "frame buster" code, but there have also been some published "frame buster buster" scripts that break attempts at stopping content being framed, so bear in mind that your JavaScript may not always work.
x-frame-options
is the way to go, so if you've added that then you should be secure on modern browsers, but you could try this approach which will display a warning message if a site tries to stop your frame buster from working.
这篇关于X框选项SAMEORIGIN和点击劫持在ASP.NET的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!