X-Frame-Options: ALLOW-FROM 在 firefox 和 chrome 中 [英] X-Frame-Options: ALLOW-FROM in firefox and chrome

问题描述

我正在实施传递"X-Frame-Options 让合作伙伴网站将我雇主的网站包装在 iframe 中，如本文所述:http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

I'm implementing a "pass-through" for X-Frame-Options to let a partner site wrap my employer's site in an iframe, as per this article: http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

(拆分网址发布)

简而言之，我们合作伙伴的页面有一个 iframe，其中包含一个针对我们域的 URL.对于我们域中的任何页面，他们都会添加一个特殊的 url 参数，例如 &@mykey=topleveldomain.com，告诉我们该页面的顶级域是什么.

In a nutshell, our partner's page has an iframe with an URL against our domain. For any page in our domain, they'll add a special url argument like &@mykey=topleveldomain.com, telling us what the page's top level domain is.

我们的过滤器从 URL 中选取合作伙伴 TLD(如果提供)，并根据白名单对其进行验证.如果它在列表中，我们会发送带有值 ALLOW-FROM topleveldomain.com 的 X-Frame-Options 标头(并添加一个 cookie 以供将来点击).如果它不在我们的白名单中，我们会发送 SAMEORIGIN 或 DENY.

Our filters pick up the partner TLD, if provided, from the URL, and validate it against a whitelist. If it's on the list, we ship the X-Frame-Options header with value ALLOW-FROM topleveldomain.com (and add a cookie for future clicks). If it's not on our whitelist, we ship SAMEORIGIN or DENY.

问题是，对于最新的 Firefox 和 Google Chrome，发送 ALLOW-FROM domain 结果似乎导致整体无操作.至少 IE8 似乎正确地实现了 ALLOW-FROM.

The problem is it looks like sending ALLOW-FROM domain results in a no-op overall for the latest Firefox and Google Chrome. IE8, at least, seems to be correctly implementing ALLOW-FROM.

查看此页面:http://www.enhanceie.com/test/clickjack.在应该显示内容"的第 5 个(共 5 个)框之后，是一个不应显示内容的框，但确实如此.在这种情况下，iframe 中的页面正在发送 X-Frame-Options: ALLOW-FROM http://www.debugtheweb.com，这是一个与 http://www 完全不同的 TLD.enhanceie.com.然而，框架仍然显示内容.

Check out this page: http://www.enhanceie.com/test/clickjack. Right after the 5th (of 5) boxes that "should be showing content", is a box that should NOT be showing content, but which is. In this case, the page in the iframe is sending X-Frame-Options: ALLOW-FROM http://www.debugtheweb.com, a decidedly different TLD than http://www.enhanceie.com. Yet, the frame still displays content.

关于X-Frame-Options 是否真正通过ALLOW-FROM 跨相关(桌面)浏览器实现的任何见解?也许语法已经改变?

Any insight as to whether X-Frame-Options is truly implemented with ALLOW-FROM across relevant (desktop) browsers? Perhaps the syntax has changed?

一些感兴趣的链接:

• x-frame-options 上的 rfc 草案:https://datatracker.ietf.org/doc/html/draft-gondrom-frame-options-01
• developer.mozilla 文章将标题作为 2 选项标题(相同来源或拒绝)进行讨论.https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
• 发起整个事件的 msdn 博客:http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx莉>
• 讨论 3 个值的 msdn 博客:添加允许来源 http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

推荐答案

ALLOW-FROM 在 Chrome 或 Safari 中不受支持.请参阅 MDN 文章:https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

ALLOW-FROM is not supported in Chrome or Safari. See MDN article: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

您已经在制作自定义标头并将其与正确的数据一起发送，难道您不能在检测到来自有效合作伙伴的标头并将其添加到其他所有请求时排除标头吗?当您已经动态构建逻辑时，我没有看到 AllowFrom 的好处?

You are already doing the work to make a custom header and send it with the correct data, can you not just exclude the header when you detect it is from a valid partner and add DENY to every other request? I don't see the benefit of AllowFrom when you are already dynamically building the logic up?

这篇关于X-Frame-Options: ALLOW-FROM 在 firefox 和 chrome 中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！