X-Frame-Options:允许从Firefox和铬 [英] X-Frame-Options: ALLOW-FROM in firefox and chrome
问题描述
我正在为 X-Frame-Options 实现一个传递,让合作伙伴站点将我的雇主的网站包装在一个iframe中,如下所示: http:/ /blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx
(将URL分割为文章)
简而言之,我们合作伙伴的网页有一个iframe,其中包含一个针对我们网域的网址。
对于我们域中的任何页面,他们都会添加一个特殊的url参数,比如& @ mykey = topleveldomain.com ,告诉我们页面的顶级域名是的。
我们的过滤器会从URL中提取合作伙伴的TLD(如果提供),并根据白名单进行验证。如果它在列表中,我们运送 X-Frame-Options 标头,值为 ALLOW-FROM topleveldomain.com (并为将来的点击添加一个cookie)。如果不在我们的白名单上,我们会发送 SAMEORIGIN 或 DENY 。
现在的问题是,如果发送 ALLOW-FROM domain ,那么最后一个Firefox和Google Chrome将无法执行整体操作。 IE8,至少,似乎正确地执行 ALLOW-FROM 。
看看这个网页: http://www.enhanceie.com/test/clickjack 。在第5(5)箱应该显示内容之后,是一个不应该显示内容但是是哪个内容的框。在这种情况下,iframe中的页面正在发送 X-Frame-Options:ALLOW-FROM http://www.debugtheweb.com ,一个明显不同于<$的TLD C $ C> http://www.enhanceie.com 。然而,框架仍然显示内容。
任何有关是否真正实现 X-Frame-Options 相关(桌面)浏览器中的 ALLOW-FROM 也许语法已经改变了?
一些感兴趣的链接:
- Draft rfc在x-frame-options上: http://tools.ietf.org/ html / draft-gondrom-frame-options-01
- developer.mozilla将文章讨论为双选项标题(sameorigin或deny)。 https://developer.mozilla.org/en-US / docs / Web / HTTP / X-Frame-Options
- msdn博客发起了整件事: http://blogs.msdn.com/b/ie/archive/2009/
- http://blogs.msdn。 com / b / ieinternals / archive / 2010/03/30 / fightating-click-with-x-frame-options.aspx
您已经完成了自定义标题并将其发送正确的数据,当您检测到来自有效的合作伙伴并将DENY添加到其他任何请求时,是否可以不排除标题?当你已经动态地构建逻辑时,我看不到AllowFrom的好处吗?
I'm implementing a "pass-through" for X-Frame-Options to let a partner site wrap my employer's site in an iframe, as per this article: http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx
(splitting up URLS to post)
In a nutshell, our partner's page has an iframe with an URL against our domain.
For any page in our domain, they'll add a special url argument like &@mykey=topleveldomain.com, telling us what the page's top level domain is.
Our filters pick up the partner TLD, if provided, from the URL, and validate it against a whitelist. If it's on the list, we ship the X-Frame-Options header with value ALLOW-FROM topleveldomain.com (and add a cookie for future clicks). If it's not on our whitelist, we ship SAMEORIGIN or DENY.
The problem is it looks like sending ALLOW-FROM domain results in a no-op overall for the latest Firefox and Google Chrome. IE8, at least, seems to be correctly implementing ALLOW-FROM.
Check out this page: http://www.enhanceie.com/test/clickjack. Right after the 5th (of 5) boxes that "should be showing content", is a box that should NOT be showing content, but which is. In this case, the page in the iframe is sending X-Frame-Options: ALLOW-FROM http://www.debugtheweb.com, a decidedly different TLD than http://www.enhanceie.com. Yet, the frame still displays content.
Any insight as to whether X-Frame-Options is truly implemented with ALLOW-FROM across relevant (desktop) browsers? Perhaps the syntax has changed?
Some links of interest:
- Draft rfc on x-frame-options: http://tools.ietf.org/html/draft-gondrom-frame-options-01
- developer.mozilla article discussing the header as a 2-option header (sameorigin or deny). https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
- msdn blog that initiated the whole thing: http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx
- msdn blog that talks about 3 values: adding allow-from origin http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx
ALLOW-FROM is not supported in Chrome or Safari. See MDN article: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
You are already doing the work to make a custom header and send it with the correct data, can you not just exclude the header when you detect it is from a valid partner and add DENY to every other request? I don't see the benefit of AllowFrom when you are already dynamically building the logic up?
这篇关于X-Frame-Options:允许从Firefox和铬的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
