在可信网站列表中的iframe [英] iframes within a trusted website list
问题描述
我是新来的iframes和他们的安全缺陷。我有网站A需要嵌入到网站列表中的iframe上。以下是有趣的部分。
- 可信网站列表和iframe共享相同的域。
- 只有受信任的网站列表可以使用iframe A
- 如果不可信网站尝试使用iframe A,则应显示一些错误。 b
$ b我知道有些地方用某种标记系统来做这件事。有没有人知道或有一些很好的参考资料来做到这一点?
你不能控制他们的代码。然而,你可以:
-
使用一鸣惊人将您的网站推向顶层(从iframe退出并进入主界面窗口)。
检查(网站框架的网址)。它只适用于相同的域名,这意味着如果另一个域名是iframing你,你不能得到父母的网址(aha!someone's framing your site!)。如果您可以获取网址,则顶级网站来自您的网域。在此之后,您唯一需要做的就是检查该网站是否属于您网域中的可信网站。 -
- The list of trusted websites and the iframe share the same domain.
- Only the list of trusted websites can iframe A
- If an untrusted website tries to iframe A, some error should be rendered.
use a framebuster to bust your site to top level (exit from iframe and into main window).
check the parent window's url (the url of the site framing your site). it works only if same domain, meaning if another domain is iframing you, you can't get the parent url ("aha! someone's framing your site!"). if you CAN get the url, the top site is from your domain. the only thing you need to do after that is to check if that site is part of your trusted sites in your domain.
I'm new to iframes and their security flaws. I have website A that needs to be embedded on an iframe on a list of websites. Here is the interesting part.
I know some places do this with some sort of tokenization system. Does anyone know or have some good references to do this?
well, you can't prevent people from framing your website because you don't control their code.
however, you could:
这篇关于在可信网站列表中的iframe的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!