使用外部 URL 获取 iframe 的高度 [英] Get height of iframe with external URL

问题描述

我必须在我的页面的 iframe 中包含一个外部白标签网站.外部站点上有许多页面，它们的高度差异很大.

I have to include an external whitelabel site within an iframe on my page. There are numerous pages on the external site and they vary considerably in height.

我需要调整 iframe 的高度以适应这种情况.

I need to adjust the height of my iframe to accommodate this.

我可以获取加载到 iframe 中的第一个页面的高度(使用 PHP)，但无法获取后续页面的高度，因为无法知道 iframe 中的 url/位置更改为什么.

I can get the height of the first page loaded into the iframe (using PHP), but no way of getting subsequent page heights because no way of knowing what the url/location changes to in the iframe.

由于这是 iframe 中的外部 url，因此通常存在安全限制，因此所有解决方案都必须来自父框架.解决方案必须至少在 FF 和 IE 上可行.

As this is an external url in the iframe the usual security limitations apply, therefore ALL solutions must come from the parent frame. Solution must be workable on FF and IE at least.

我唯一能想到的就是测试滚动条在 iframe 上是否可见，但这在这些情况下似乎是不可能的.

The only think I can think of is to test whether the scrollbars are visible on the iframe, but this is seemingly impossible in these circumstances.

如果有人能证明我是错的，或者有任何其他 javascript/ajax/php 跨浏览器解决方案，我很乐意听到.

If anyone can prove me wrong, or has any other javascript/ajax/php cross-browser solution I'd love to hear it.

推荐答案

由于浏览器的安全模型，不可能这样做.如果可能，那将是一个安全问题，必须加以修复.

It is not possible to do this because of the browser's security model. If it was possible, that would be a security problem and would have to be fixed.

尽管在嵌入页面时让嵌入站点知道第三方网页的高度似乎无害，但这可能会将浏览器用户希望保密的信息泄露给嵌入站点.例如，http://www.facebook.com/ 根据您是否登录而呈现不同在，所以如果我的网站可以计算出 <iframe src="http://www.facebook.com/"> 的高度，那么我可以计算出你是否是 facebook用户，你可能不想让我知道.

Although letting the embedding site know the height of a third party webpage when embedded in the page seems harmless, this can leak information to the embedding site that the browser's user wants to keep private. For example, http://www.facebook.com/ renders differently depending on whether or not you are logged in, so if my website can work out the height of <iframe src="http://www.facebook.com/"> then I can work out whether or not you are a facebook user, something you probably don't want me to know.

信息泄露类似于臭名昭著的CSS 历史泄漏 因为它会通过链接"到该站点(在这种情况下使用 iframe 而不是链接)来揭示有关用户与第三方站点的关系的信息.浏览器供应商必须堵住 CSS History Leak，所以我怀疑如果您能够计算在任何浏览器的 iframe 中呈现的第三方网站的高度，供应商也必须解决这个问题.

The information leakage would be similar to the infamous CSS History Leak in that it would reveal information about the user's relationship with the third-party site just by "linking" to that site (in this case with an iframe instead of a link). Browser vendors had to plug the CSS History Leak, so I suspect if you could work out the height of a third party site rendered in an iframe in any browser, the vendor would have to fix that too.

泄露的信息可以是任何可以从使用 cookie 呈现给用户的页面高度推断出来的信息(即使在不同域页面内的 iframe 中呈现，浏览器也会发送).具体风险完全取决于被攻击"的嵌入式站点的性质.例如.通过获取 https://stackoverflow.com/reputation 的高度，我可以了解访问我网站的人有多少 stackoverflow 活动不同的用户是不同的.

The information leaked would be anything that can be inferred from the height of a page when rendered for a user using their cookies (which the browser will send even though rendering in an iframe inside a different domain's page). The specific risks depend entirely on the nature of the embedded site being "attacked". E.g. I could get an idea of how much stackoverflow activity someone visiting my site has by getting the height of https://stackoverflow.com/reputation which is different for different users.

这篇关于使用外部 URL 获取 iframe 的高度的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！