阻止脚本更改document.location.href? [英] Stopping script from changing document.location.href?

问题描述

我刚刚浏览的网站(cheezburger.com)显然存在漏洞，因为有人在邮件中注入了<script>document.location.href="http://net-cheezburger.cu.cc/"</script>这样的行. Firefox重定向到该位置，并且X-Frame-Options停止了框架，从而导致屏幕空白.

A site that I just browsed (cheezburger.com) has apparently vulnerabilities as someone had injected lines like <script>document.location.href="http://net-cheezburger.cu.cc/"</script> into messages. Firefox redirected itself to there and X-Frame-Options stopped the framing resulting an empty screen.

除了在cheezburger网站上的document.location.href中添加CAPS策略之外，还有其他方法可以防止脚本在Firefox中运行吗?这也阻碍了合法的变更. 现在，我只是用Greasemonkey提醒一个脚本放置在错误的位置，因此我立即知道如果他们尝试其他恶意脚本会发生什么情况.

Is there other ways to prevent the script from working in Firefox than adding a CAPS policy to document.location.href on cheezburger sites? That blocks legitimate changes too. Now I just alert with Greasemonkey that a script is in a wrong place so I know immediately what's going on if they try other malicious scripts.

在站点本身修复之前，我只是想做一个临时修复程序.

I'd just like a temporary fix until the site itself is fixed.

我想知道有没有办法以编程方式拦截该脚本或重定向.如果我已正确理解，则无法使用Greasemonkey更改内联脚本，但是还有其他选择吗?

I'm wondering is there way to programmatically intercept that script or redirection. If I've understood correctly you can't change inline scripts with Greasemonkey but are there other options?

推荐答案

由于您使用的是firefox(现代浏览器)，因此可以使用

Since you're on firefox (a modern browser), you could use Object.freeze to turn the location object into read-only:

Object.freeze(document.location);

document.location.href = "http://google.com";
// No navigation happens

console.log(document.location.href);
// => "http://stackoverflow.com/questions/22290948/stopping-script-from-changeing-document-location-href"

这篇关于阻止脚本更改document.location.href?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！