过去Facebook的iframe块 [英] Getting Past Facebooks Iframe Block

问题描述

在Facebook上，他们似乎有一个阻止您加载其网站的 iframe 的块。

Well on Facebook they seem to have a block which prevents you from loading an iframe of their website.

当您这样做时，他们会锁定其网站的完整功能示例。

When you do, they lock complete functionality of their website example.

我只是想知道有没有人知道你如何绕过这个？

I'm just wondering if anyone knows how you could bypass this?

推荐答案

如果他们没有防止这种情况，攻击者可以将Facebook页面加载到透明的iframe中，并将有趣的东西放在下面。让被害人登录到Facebook，然后访问攻击者的网站（在一段时间后，在另一个标签页）。

If they did not prevent this, an attacker could load Facebook pages into an transparent iframe and put something interesting below it. Lets asume a victim has logged in to facebook and then visits the website of the attacker (after some time, in another tab).

受害者将点击攻击者的网站。但事实上，它是点击透明的iframe，并在Facebook网站上触发一些动作。浏览器当然会将会话cookie发送到Facebook，Facebook看到一个登录用户的合法动作。

The victim will click on something on the attacker's website. But in fact it is clicking onto the transparent iframe and triggering some action on the facebook website. The browser will of course sent the session cookie to Facebook and Facebook sees a legitimate action by an logged in user.

维基百科有一篇关于劫持的文章： http://en.wikipedia.org/wiki/Clickjacking

Wikipedia has an article on Clickjacking: http://en.wikipedia.org/wiki/Clickjacking

可以通过
http://www.webmasterworld.com/webmaster/4022867.htm 很遗憾，并不是所有的浏览器都支持它，所以也需要一个框架打破java脚本。

This attack can be prevented using the unofficial X-Frame-Option http header as described on http://www.webmasterworld.com/webmaster/4022867.htm Unfortunately not all browsers support it, so a frame breaking java script is required, too.

这篇关于过去Facebook的iframe块的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！