为什么< iframe src =" https://></iframe>重定向IE 11中的页面? [英] Why does <iframe src="https://"></iframe> redirect the page in IE 11?

问题描述

如果我在页面的HTML中添加<iframe src="https://"></iframe>，则父级页面将立即重定向到IE 11中的地址无效"错误页面.在Chrome中，空白iframe出现在就像我期望的那样.为什么会这样，并且可以通过某种方式防止它发生?谢谢！

If I add <iframe src="https://"></iframe> to a page's HTML, the parent page is immediately redirected to a "The address is not valid" error page in IE 11. In Chrome, a blank iframe appears on the page, as I would expect. Why is this, and can it be prevented somehow? Thanks!

我一直在测试一个Web应用程序，该应用程序显示一个仪表板屏幕，其中包含各种类型的组件，所有这些组件都可以由用户配置.用户可以嵌入所需的任何外部内容，只要它们通过HTTPS提供即可.我只是发现，如果有人尝试嵌入URL"https://"，则导致的页面重定向会将应用程序置于不良状态.我打算为用户输入添加限制以防止这种情况，但是我只是对这种父级重定向背后的实际机制感到好奇.

I've been testing a web app that displays a dashboard screen full of various types of components, all of which are configurable by users. Users can embed any external content they want, as long as it's served over HTTPS. I just found that, if someone tries to embed a URL of "https://", the resulting page redirection throws the application into an undesirable state. I plan to add restrictions to user input to prevent this, but I was just curious about the actual mechanism behind this parent-level redirection.

推荐答案

当IE11指示显示错误的URL时，您会看到一条错误消息，该消息是由IE内置的HTML和JavaScript呈现的.那页上写着地址无效"等等等等.

When IE11 is directed to display a bad URL, you see an error message rendered with HTML and JavaScript that is built in to IE. That's the page that says "The address is not valid" blah blah blah.

HTML文件称为语法.html，它加载了两个JavaScript文件，分别名为HttpErrorPagesScripts.js和errorpagestrings.js.

The HTML file is called syntax.html, and it loads two JavaScript files called HttpErrorPagesScripts.js and errorpagestrings.js.

后一个文件包含以下代码(为了您的观看乐趣而对其进行了重新格式化):

The latter file contains this code (reformatted for your viewing pleasure):

function clickRefresh()
{
    var location = window.location.href;
    var poundIndex = location.indexOf('#');
    if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))
    {
        window.location.replace(location.substring(poundIndex+1));
    }
}

上面JavaScript的最后一行执行框架破坏"，即iframe中包含的网站在地址栏中插入自己的网址(或另一个网址).

The last line of JavaScript above performs "frame busting", which is where a website enclosed in an iframe inserts its own (or another) URL into the address bar.

在这种情况下，iframed页面会插入自己的URL(出于IE特定的原因，它是原始URL，而不是语法.html

In this case the iframed page inserts its own URL (which for IE-specific reasons is the original URL and not syntax.html

在IE以外的浏览器(真实浏览器)中，可以通过使用iframe的沙箱属性中提供的选项来防止这种帧破坏行为. 添加不带任何值的sandbox选项将启用所有沙箱保护，以防止运行JavaScript，重定向，启用表单(用于UI纠正)和框架破坏等. 有关完整列表，请在 https://developer中查找沙盒" .mozilla.org/zh-CN/docs/Web/HTML/Element/iframe

In browsers other than IE (real browsers), you can prevent this frame-busting behavior by using options provided in the iframe's sandbox attribute. Adding the sandbox option with no value enables all of the sandbox protections against running JavaScript, redirecting, enabling forms (used for UI redressing) frame busting, etc. For the full list look for "sandbox" in https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe

因此在良好的浏览器中，它将可以正常工作:

So in good browsers this would work fine:

<iframe src="https://" sandbox ></iframe>

(但是您仍然对IE感到困惑). Mozilla页面上说，从IE10开始，IE支持sandbox属性，但是从测试中我知道，上述方法(添加sandbox)在Chrome中效果很好，但在IE11中没有效果，所以祝您好运.我当然没有在Internet上搜索IE专用的解决方案，所以一定要四处看看.

(but you're still screwed with IE). The Mozilla page says that the sandbox attribute is supported by IE starting in IE10, but I know from testing that the above approach (adding sandbox) works fine in Chrome but has no effect in IE11, so good luck there. I certainly haven't scoured the internet for IE-specific solutions to this so definitely look around.

这篇关于为什么< iframe src =" https://></iframe>重定向IE 11中的页面?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！