使相同的域iframe安全 [英] Making a Same Domain iframe Secure
问题描述
tl; dr 我可以安全地在iframe上执行不受信任的脚本吗?
tl;dr Can I execute un-trusted scripts on an iframe safely?
我正在尝试制作安全的JSONP请求。许多旧的浏览器不支持Web Workers,这意味着我提出的当前解决方案并不是最佳的。
I'm trying to make secure JSONP requests. A lot of older browsers do not support Web Workers which means that the current solution I came up with is not optimal.
我想我可以创建< iframe> 并在其中加载脚本。该脚本将执行JSONP请求(创建脚本标记),该请求会将消息发布到主页面。主页面将获取消息,执行回调并销毁iframe。我设法做这类事情。
I figured I could create an <iframe> and load a script inside it. That script would perform a JSONP request (creating a script tag), which would post a message to the main page. The main page would get the message, execute the callback and destroy the iframe. I've managed to do this sort of thing.
function jsonp(url, data, callback) {
var iframe = document.createElement("iframe");
iframe.style.display = "none";
document.body.appendChild(iframe);
var iframedoc = iframe.contentDocument || iframe.contentWindow.document;
sc = document.createElement("script");
sc.textContent = "(function(p){ cb = function(result){p.postMessage(result,'http://fiddle.jshell.net');};})(parent);";
//sc.textContent += "alert(cb)";
iframedoc.body.appendChild(sc);
var jr = document.createElement("script");
var getParams = ""; // serialize the GET parameters
for (var i in data) {
getParams += "&" + i + "=" + data[i];
}
jr.src = url + "?callback=cb" + getParams;
iframedoc.body.appendChild(jr);
window.onmessage = function (e) {
callback(e.data);
document.body.removeChild(iframe);
}
}
jsonp("http://jsfiddle.net/echo/jsonp/", {
foo: "bar"
}, function (result) {
alert("Result: " + JSON.stringify(result));
});
问题在于,由于iframe位于同一个域中,因此注入的脚本仍然可以访问外部范围通过 .top 或 .parent 等。
The problem is that since the iframes are on the same domain, the injected script still has access to the external scope through .top or .parent and such.
我想创建一个iframe,其中通过脚本标记添加的脚本不会能够访问父窗口(和DOM)上的变量。我试过像 top = parent = null 之类的东西,但我真的不确定这是否足够,可能还有其他解决方法。我尝试运行for ... in循环,但我的功能停止工作,我无法找到原因。
I want to create an iframe where scripts added through script tags will not be able to access variables on the parent window (and the DOM). I tried stuff like top=parent=null but I'm really not sure that's enough, there might be other workarounds. I tried running a for... in loop, but my function stopped working and I was unable to find out why.
注意:
我最了解WebWorkers是一个更好的隔离环境。我知道JSONP是一种坏技术(我甚至有一些随机的人告诉我他今天从来没用过它。我正在尝试为 执行JSONP查询的场景创建一个安全的环境。
I know optimally WebWorkers are a better isolated environment. I know JSONP is a "bad" technique (I even had some random guy tell me he'd never use it today). I'm trying to create a secure environment for scenarios where you have to perform JSONP queries.
推荐答案
你无法真正删除引用,设置null只会默默地失败,并且始终有办法获得对父dom的引用。
You can't really delete the references, setting null will just silently fail and there is always a way to get the reference to the parent dom.
像<$的引用c $ c> frameElement 和 frameElement.defaultView 等无法删除。尝试这样做会根据浏览器静默失败或抛出异常。
References like frameElement and frameElement.defaultView etc. cannot be deleted. Attempting to do so will either silently fail or throw exception depending on browser.
您可以查看 Caja / Cajita 虽然。
这篇关于使相同的域iframe安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
![一些随机的人](\"https://i.stack.imgur.com/yEOU0.png\"){kind=link}