使用外部网址获取iframe的高度 [英] Get height of iframe with external URL

问题描述

我必须在我的网页上的iframe中包含一个外部whitelabel网站。外部网站上有很多页面，它们的高度差异很大。

我需要调整iframe的高度以适应这种情况。

我可以获得加载到iframe中的第一页的高度（使用PHP），但无法获得后续页面高度，因为无法知道iframe中的url / location更改的内容。

由于这是iframe中的外部网址，因此通常的安全限制适用，因此所有解决方案都必须来自父框架。解决方案必须至少可以在FF和IE上使用。

我能想到的唯一想法是测试滚动条是否在iframe上可见，但这似乎是不可能的在这种情况下。

如果有人可以证明我错了，或者有任何其他javascript / ajax / php跨浏览器解决方案，我很乐意听到它。

解决方案

由于浏览器的安全模型，这样做不可能。如果有可能，这将是一个安全问题，并且必须修复。

尽管嵌入网站嵌入在第三方网页的高度时让它知道页面似乎无害，这可能会泄漏信息到浏览器用户想要保密的嵌入网站。例如， http://www.facebook.com/ 呈现的方式会有所不同，具体取决于您是否已登录在，所以，如果我的网站可以计算< iframe src =http://www.facebook.com/> 的高度，那么我可以弄清楚是否或者你不是facebook用户，你可能不想让我知道。

信息泄露与臭名昭着的 CSS历史漏洞，它会显示有关用户的信息仅通过链接到该网站与第三方网站的关系（在这种情况下使用iframe而不是链接）。浏览器供应商不得不插入CSS History Leak，所以我怀疑如果你能计算出在任何浏览器中在iframe中呈现的第三方网站的高度，供应商也必须解决这个问题。 / p>

泄露的信息可以是使用他们的cookie为用户呈现的页面高度可以推断的任何内容（即使在iframe中呈现，浏览器也会发送这些信息）在不同的域名页面内）。具体风险完全取决于被攻击的嵌入式网站的性质。例如。通过获取 https://stackoverflow.com/reputation 的高度，我可以了解有人访问我网站的堆栈流量活动有多少对于不同的用户来说是不同的。

I have to include an external whitelabel site within an iframe on my page. There are numerous pages on the external site and they vary considerably in height.

I need to adjust the height of my iframe to accommodate this.

I can get the height of the first page loaded into the iframe (using PHP), but no way of getting subsequent page heights because no way of knowing what the url/location changes to in the iframe.

As this is an external url in the iframe the usual security limitations apply, therefore ALL solutions must come from the parent frame. Solution must be workable on FF and IE at least.

The only think I can think of is to test whether the scrollbars are visible on the iframe, but this is seemingly impossible in these circumstances.

If anyone can prove me wrong, or has any other javascript/ajax/php cross-browser solution I'd love to hear it.

解决方案

It is not possible to do this because of the browser's security model. If it was possible, that would be a security problem and would have to be fixed.

Although letting the embedding site know the height of a third party webpage when embedded in the page seems harmless, this can leak information to the embedding site that the browser's user wants to keep private. For example, http://www.facebook.com/ renders differently depending on whether or not you are logged in, so if my website can work out the height of <iframe src="http://www.facebook.com/"> then I can work out whether or not you are a facebook user, something you probably don't want me to know.

The information leakage would be similar to the infamous CSS History Leak in that it would reveal information about the user's relationship with the third-party site just by "linking" to that site (in this case with an iframe instead of a link). Browser vendors had to plug the CSS History Leak, so I suspect if you could work out the height of a third party site rendered in an iframe in any browser, the vendor would have to fix that too.

The information leaked would be anything that can be inferred from the height of a page when rendered for a user using their cookies (which the browser will send even though rendering in an iframe inside a different domain's page). The specific risks depend entirely on the nature of the embedded site being "attacked". E.g. I could get an idea of how much stackoverflow activity someone visiting my site has by getting the height of https://stackoverflow.com/reputation which is different for different users.

这篇关于使用外部网址获取iframe的高度的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！