X-Frame-Options标头在防止恶意框架方面有多大用处? [英] How useful is the X-Frame-Options header in protecting against malicious framing?
问题描述
将 X-Frame-Options DENY 添加到响应标头有助于防止网页的恶意框架,作为解决方案,客户端JavaScript解决方案当然更好。
Adding the X-Frame-Options DENY to the response header helps protect against malicious framing of the web page and as a solution it's certainly better that client-side JavaScript solutions.
但它有多有用呢?是否所有(现代)浏览器都支持它,是否可以被劫持您网站的黑客绕过?
But just how useful is it? Is is supported by all (modern) browsers and can it be bypassed by hackers intent on hijacking your site?
推荐答案
EricLaw的页面维护一个支持浏览器的列表。
EricLaw's page maintains a list of supporting browsers.
主流桌面浏览器的当前版本都支持它;旧版本和利基以及一些移动浏览器没有。因此,您可能还想要包含一个反框架< script> ,以设置 top.location (并在反框架破坏的情况下首先删除页面内容;请参阅此问题为什么)。
Current verions of the major desktop browsers all support it; older versions and niche and some mobile browsers don't. So you will probably want to include an anti-framing <script> as well, to set top.location (and remove the page content first in case of anti-frame-busting; see this question for why).
如果你想要的话,你可能更喜欢 X-Frame-Options 的脚本方法有选择地允许框架。 X-Frame-Options 不允许白名单,因此您不能允许Google图片流量,但不允许其他人。
You might prefer the script approach to X-Frame-Options when you want to selectively allow framing. X-Frame-Options does not permit ‘whitelisting’, so you can't eg allow Google Images traffic but not others.
无论哪种方式,IE6-7仍然允许攻击者构建你的页面并禁用帧破坏者。不幸的是,有问题的 < iframe安全> 属性存在于 X-Frame-Options 之前。你可以尝试添加< base target =_ top> 来尝试让任何导航突破传统的框架(或者只是在反框架的情况下不工作-busters),但这无法帮助你抵御隐形 - iframe叠加攻击。
Either way, IE6-7 will still allow attackers to frame your page and disable the frame-buster. Unfortunately the questionable <iframe security> attribute existed before X-Frame-Options. You could try adding <base target="_top"> to try to make any navigation break out traditional framing (or just not work, in the presence of anti-frame-busters), but this can't help you against invisible-iframe-overlay attacks.
这篇关于X-Frame-Options标头在防止恶意框架方面有多大用处?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
