iframe可以从allow-same-origin释放自己吗? [英] Can an iframe release itself from allow-same-origin?

问题描述

如果站点A具有站点B的iframe，并且两个站点位于不同的域，站点B是否可以(通过js或其他方式)知道它是否位于具有allow-same-origin属性的iframe中并阻止它?/p>

我需要向网站B的管理员保证，他们的网站在网站A的iframe中是安全的.

由于我误解了allow-same-origin的含义，所以这个问题本质上是没有根据的

解决方案

如果您以包含Web站点A且其中嵌入了iframe的包含Web站点A的正常情况为例，那么浏览器的同源限制将使其成为不可能除非站点B特别配合以允许通常使用 window.postMessage()(一种在不同来源的文档，窗口或框架之间发送消息的方式)的方式，否则站点A可以访问站点B的页面中的任何内容.默认情况下，不允许访问.

您在iframe allow-same-origin 上引用了沙箱属性.当您添加沙箱属性时，事情将被进一步关闭，因此允许的访问量甚至更少. allow-same-origin 属性仅从同一来源带回访问.由于您的站点A和站点B的示例来自不同的来源，因此这对它们之间的访问没有影响.网站A的页面仍将无法访问网站B的页面.

If Site A has an iframe of Site B, and the two sites are on different domains, can Site B know (via js or something) if it's in an iframe with the allow-same-origin attribute and thwart it?

I need to reassure the administrators of site B that their site is safe within an iframe on Site A.

EDIT: This question is essentially moot as I've misunderstood what allow-same-origin means

解决方案

If you take the normal case of a containing web page site A that has an iframe embedded in it site B, then the browser's same-origin restrictions make it impossible for site A to access anything in site B's page unless site B specifically cooperates to allow that usually with window.postMessage() - a means of sending messages between documents, windows or frames of a different origin. By default, no access is allowed.

You refer to a sandbox attribute on the iframe allow-same-origin. When you add the sandbox attribute, things are shut-down even more so even less access is allowed. The allow-same-origin attribute brings back access from the same origin only. Since your example of site A and site B are on different origins, this should have no effect on the access between them. site A's page will still not be able to access site B's page.

这篇关于iframe可以从allow-same-origin释放自己吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！