包含第 3 方 iFrame 的安全风险 [英] Security Risks of Including a 3rd Party iFrame
问题描述
包含隐藏的第 3 方 iFrame 有哪些应用安全风险?
What are the application security risks of including a hidden 3rd Party iFrame?
如果我理解正确...
- 点击劫持对我来说不是问题,因为我拥有父页面
- 同源策略阻止 3p 帧与我的 dom/cookies/js 交互
- 框架是隐藏的,所以我不必担心框架中可能会显示任何内容
不过我在 Chrome 控制台中做了一些实验,然后......
However I did some experiments in the Chrome console and...
- 3p 帧可以调用警报/提示之类的东西
- 3p 帧可以通过 location.href 重定向父级
- 3p 帧内的恶意软件 (java/flash/activeX) 可能会感染我的用户
我很想查看可能出现的问题和任何缓解措施的列表,但我找不到合适的信息来源.
I'd love to see a list of the possible issues and any mitigations, but I can't find a good source of information.
那么...包含隐藏的第 3 方 iFrame 的应用程序安全风险是什么?
So...What are the application security risks of including a hidden 3rd Party iFrame?
推荐答案
如果您要在您的网站上实现 iframe,您可以使用 HTML5' iframe 中的 sandbox
标签来防止您自己/其他人在您的网站上网站.
If you are implementing Iframes on your website, you could use the sandbox
tag in HTML5' iframe to prevent yourself/others on your website.
我不知道它的效果如何(沙箱功能),但它指出它可以限制 iframe 内的脚本、表单等.
I don't know how effective it is (the sandbox feature), but it states it can restrict scripts, forms etc inside the iframe.
<iframe sandbox="" src="www.example.com"/>
虽然不是一种有保证且有效的方法,但它是许多不同方法中的一种.但最终,您可以使用 NoScript 等附加组件来阻止某些/所有脚本运行.
Although not a guaranteed and effective method, it's one of many different ways. On your end though, you could use add-ons such as NoScript to prevent certain/all scripts from running.
如您所说,第 3 方 iframe 可能会利用偷渡式下载、浏览器漏洞等漏洞来访问您的操作系统,甚至更多.
It's possible that the 3rd party iframe, as you said, could use exploits such as drive-by-downloads, browser exploits to gain access to your OS and possibly more.
希望这会有所帮助.
这篇关于包含第 3 方 iFrame 的安全风险的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!