如何限制谁可以iframe嵌入我的网络应用程序？ [英] How to restrict who can iframe embed my web app?

问题描述

限制哪些网站可以通过网络应用嵌入iframe的最佳（最安全）方法是什么？

What is the best (most secure) way to restrict which websites can iframe embed by web application?

例如，每个人都应该被拒绝谁不在列表：

For example, everyone should be denied who is not on the list:

• www.myFriend.com


• www.anotherFriend.com


• www.myThirdFriend.com

作为后续问题，考虑到上述任何限制，什么是找出服务器端哪个白名单网站正在进行嵌入的最安全的方法？

As a follow up question, given any restrictions for the above, what is the most secure way to find out server side which one of the white-listed sites is doing the embedding?

推荐答案

使用 X-Frame-Options HTTP标题。

Use the X-Frame-Options HTTP header.

X-Frame-Options ALLOW-FROM http://example.com/

另请参阅 MSDN文档，其中包含以下建议：

See also the MSDN documentation which has this advice:

请注意，Allow-From令牌不支持通配符或列出多个来源的
。对于服务器希望允许更多
而不是一页来构建其内容的情况，以下设计模式建议为
：

Note that the Allow-From token does not support wildcards or listing of multiple origins. For cases where the server wishes to allow more than one page to frame its content, the following design pattern is recommended:

1. 外部IFRAME使用内部IFRAME的src属性上的
   查询字符串参数提供自己的原始信息。这显然可以由攻击者指定
   ，但是没关系。


2. 内部IFRAME的
   服务器验证提供的Origin信息是否满足
   无论标准如何商业行为要求。例如，提供包含社交网络赞按钮的IFRAME的服务器
   ，
   可能会检查提供的Origin是否与该Like按钮预期的Origin
   匹配，并且指定
   Origin的所有者具有有效的联盟关系等。


3. 如果对提供的
   信息感到满意，则内部IFRAME的服务器发送
   X-FRAME-OPTIONS：allow-from supplyorigin header


4. 浏览器然后
   强制执行X-FRAME-OPTIONS指令。

1. The outer IFRAME supplies its own origin information, using a querystring parameter on the Inner IFRAME's src attribute. This can obviously be specified by an attacker, but that's OK.
2. The server for the Inner IFRAME verifies the supplied Origin information meets whatever criteria business practices call for. For example, the server that serves the IFRAME containing a social network's "Like" button, might check to see that the supplied Origin matches the Origin expected for that Like button, and that the owner of the specified Origin has a valid affiliate relationship, etc.
3. If satisfied with the information supplied, the server for the Inner IFRAME sends an X-FRAME-OPTIONS: allow-from suppliedorigin header
4. The Browser then enforces the X-FRAME-OPTIONS directive.

这篇关于如何限制谁可以iframe嵌入我的网络应用程序？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！