content Marketing

Iframe Breaking: Otu esi akwụsị Iframing nke ọdịnaya gị n'enwetaghị ikike

Otu onye ọbịa na saịtị m gwara m otu oge mgbe ọ pịrị na otu n'ime njikọ m Twitter; e wetara ya na saịtị m nwere nnukwu popup na ịdọ aka ná ntị koodu obi ọjọọ. Nke ahụ ezuola imenye mmadụ ụjọ, ya mere m malitere ime ụfọdụ nnwale. Ọ nweghị ihe dị njọ na saịtị m - nsogbu bụ njikọ ahụ.

Njikọ dị na saịtị ọzọ mepụtara ngwá ọrụ dị n'elu nke gbara ndị mmadụ ume ka ha pịa njikọ ọjọọ mgbe ha na-ebunye saịtị m na iframe n'okpuru. Nye ọtụtụ ndị mmadụ, saịtị m nwere ike ịdị ka ọ na-agbasa koodu ọjọọ. Agaghị m asị na-amasị m saịtị ọ bụla nke na-ebuba saịtị m n'ime iframe, yabụ m mere ihe geek ọ bụla nwere ezi uche ga-eme… eburula m ihe nbibi.

Iframe saịtị gị anaghị adị njọ mgbe niile, n'agbanyeghị. Anyị kesara ngwa ọrụ n'oge na-adịbeghị anya, Naanị, ịgbakwunye oku-na-eme ihe (CTA) na njikọ weebụsaịtị ọ bụla ị na-ekekọrịta. Ọ na-eme nke a site n'itinye saịtị gị niile n'ime iframe na itinye div n'ime ọdịnaya gị site na iji oku na-eme ihe.

Mana enwere m mmasị na ọdịnaya m na mbọ m tinyegoro Martech Zone, Ya mere, achọghị m ka onye ọ bụla mee ka ọdịnaya m nwee iframe, ọbụlagodi na ikpo okwu njikọ njikọ. N'ime nyocha ụfọdụ, enwere ụzọ ole na ole isi edozi nke a.

Otu esi akwụsị iframing ọdịnaya gị na JavaScript

Koodu Javascript a na-enyocha ma mpio dị ugbu a (self) abụghị mpio kachasị elu (top). Ọ bụrụ na ọ bụghị, nke a pụtara na ibe ahụ dị na etiti, iframe, ma ọ bụ ihe yiri ya, na edemede ahụ na-atụgharị windo kachasị elu gaa na URL nke windo ugbu a. Nke a nke ọma na-apụta nke iframe.

<script type='text/javascript'>
if (top !== self) top.location.href = self.location.href;
</script>

E nwere ọtụtụ ihe adịghị mma na usoro a:

  1. Ndabere na JavaScript: Ọ bụrụ na onye ọrụ nwere Javascript nwere nkwarụ, usoro a agaghị arụ ọrụ.
  2. Oge igbu oge: Enwere ike inwe ntakịrị igbu oge tupu Javascript emee, mgbe a ka nwere ike ịhụ ụdị saịtị gị nke etinyere.
  3. Mgbochi ndị sitere na mba ọzọ: N'ọnọdụ ụfọdụ, otu amụma mmalite nwere ike igbochi edemede a ịrụ ọrụ dịka ebumnobi. Ọ bụrụ na akwụkwọ nne na nna dị na ngalaba dị iche, ọ nwere ike ọ gaghị enwe ike ịnweta top.location.href.
  4. Enwere ike maka Frame-Busting-Busters: Enwekwara scripts (a na-akpọ frame-busting-busters) nke nwere ike igbochi script-busting script ịrụ ọrụ.

Ụzọ kachasị mma bụ iji isi okwu nzaghachi HTTP.

Nhọrọ X-Frame na Amụma Nchekwa Ọdịnaya

ma X-Frame-Options na Content-Security-Policy (CSP) bụ isi okwu nzaghachi HTTP ejiri kwalite nchekwa nke weebụsaịtị. Ha nke ọ bụla na-eje ozi dịtụ iche ma nwee ọkwa mgbanwe dị iche iche.

X-Frame-Options bụ nkụnye eji isi mee HTTP merela agadi emebere iji jikwaa ma saịtị gị nwere ike itinye na a <frame>, <iframe>, <embed>, ma ọ bụ <object> na saịtị ọzọ. O nwere ntụzịaka atọ nwere ike ime:

  1. DENY - Enweghị ike igosipụta ibe ahụ na etiti, n'agbanyeghị saịtị na-anwa ime ya.
  2. SAMEORIGIN – The page nwere ike na-egosipụta na a etiti na otu si malite dị ka ibe n'onwe ya.
  3. ALLOW-FROM uri - Enwere ike igosipụta ibe ahụ naanị na etiti na mbido akọwapụtara.

Otú ọ dị, X-Frame-Options nwere oke n'ihi na ọ nweghị ike ijikwa ọnọdụ dị mgbagwoju anya karịa, dị ka ikwe ka imepụta ihe sitere na mmalite dị iche iche ma ọ bụ iji wildcards maka subdomains. Ọ bụghị ihe nchọgharị niile na-akwado ya ALLOW-FROM ntuziaka.

Content-Security-Policy, n'aka nke ọzọ, bụ ihe mgbanwe na ike HTTP nkụnye eji isi mee. Mgbe ọ nwere ike ime ihe niile X-Frame-Options nwere ike ime na ọtụtụ ihe ndị ọzọ, ebumnuche ya bụ isi bụ igbochi ọtụtụ mwakpo ịgba ogbugba koodu, gụnyere ịde ederede saịtị (XSS) na clickjacking. Ọ na-arụ ọrụ site na ịkọwapụta ndepụta ọcha nke isi mmalite ọdịnaya ntụkwasị obi (edemede, ụdị, onyonyo, wdg).

Maka njikwa okpokolo agba, CSP na-eji ya frame-ancestors ntuziaka. Ị nwere ike ezipụta ọtụtụ isi mmalite, gụnyere ọtụtụ ngalaba na ngalaba subdomains. Nke a bụ ọmụmaatụ:

cssCopy codeContent-Security-Policy: frame-ancestors 'self' yourdomain.com *.domain2.com;

Nke a ga-ekwe ka e kee ibe ahụ na saịtị nke ya ('self'), na yourdomain.com, na ọ bụla subdomain nke domain2.com.

A na-atụ aro CSP ka ọ bụrụ nnọchi X-Frame-Options, ebe ọ bụ na ọ nwere ike ijikwa ihe niile X-Frame-Options nwere ike ime, na ọtụtụ ihe ndị ọzọ. Ọ bụ ezie na ọtụtụ ihe nchọgharị ọgbara ọhụrụ na-akwado CSP, a ka nwere ike ịnwe ụfọdụ ihe nchọgharị ochie ma ọ bụ nke na-adịkarịghị akwadoghị ya nke ọma.

Otu esi akwụsị iframing ọdịnaya gị na HTML

Enwere mkpado meta mkpado-Nchekwa-Amụma enwere ike ibunye nke na-egbochi ikike ịmebi ọdịnaya gị:

<meta http-equiv="Content-Security-Policy" content="frame-ancestors 'self' yourdomain.com">

Ịdị irè nke mkpado meta HTML nwere oke n'ihi na ọ bụghị ihe nchọgharị niile na-asọpụrụ Content-Security-Policy mgbe atọrọ na iji mkpado meta.

Otu esi akwụsị iframing ọdịnaya gị na nkụnye eji isi mee HTTP

Ọ ka mma iji isi ihe HTTP X-Frame-Options or Content-Security-Policy ịchịkwa Framing. Nhọrọ ndị a nwere ntụkwasị obi karịa, yana nchekwa, ma na-arụ ọrụ ọbụlagodi na Javascript nwere nkwarụ. Ekwesịrị iji usoro Javascript naanị dị ka ebe ikpeazụ ma ọ bụrụ na ị nweghị njikwa na sava ahụ ka ịtọọ nkụnye eji isi mee HTTP. Maka ihe atụ ọ bụla, dochie yourdomain.com na ngalaba gị n'ezie.

Apache – Gbanwee gị .htaccess faịlụ dị ka ndị a:

Header always set X-Frame-Options SAMEORIGIN
Header always set Content-Security-Policy "frame-ancestors 'self' yourdomain.com"

Nginx - Gbanwee ngọngọ nkesa gị dị ka ndị a:

add_header X-Frame-Options SAMEORIGIN;
add_header Content-Security-Policy "frame-ancestors 'self' yourdomain.com";

IIS - mee nke a site n'ịgbakwunye ihe ndị a na gị web.config faịlụ:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="Content-Security-Policy" value="frame-ancestors 'self' yourdomain.com" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

WordPress - mee nke a site na ịgbakwunye koodu a na faịlụ function.php gị:

function add_security_headers() {
  header('X-Frame-Options: SAMEORIGIN');
  header("Content-Security-Policy: frame-ancestors 'self' yourdomain.com");
}
add_action('send_headers', 'add_security_headers');

Nhazi ndị a ga-ahapụ naanị ka itinye ibe gị n'ime iframes na ngalaba kpọmkwem ị ezipụtara, ọ bụghị na ngalaba subdomains ọ bụla. Ọ bụrụ na ịchọrọ ịhapụ ụfọdụ subdomains, ị ga-edepụta ha nke ọma, dịka subdomain1.yourdomain.com subdomain2.yourdomain.com, were gabazie.

Kwe ka Iframe ọdịnaya gị site na ọtụtụ ngalaba

Ị nwere ike iji isi nzaghachi HTTP Content-Security-Policy na ntuziaka ndị nna ochie kọwaa ọtụtụ ngalaba. Oghere kwesịrị ikewapụ ngalaba ọ bụla. Nke a bụ ọmụmaatụ:

Content-Security-Policy: frame-ancestors 'self' domain1.com domain2.com domain3.com;

Apache – Gbanwee gị .htaccess faịlụ dị ka ndị a:

Header always set X-Frame-Options SAMEORIGINHeader always set Content-Security-Policy "frame-ancestors 'self' domain1.com domain2.com domain3.com"

Nginx - Gbanwee ngọngọ nkesa gị dị ka ndị a:

add_header X-Frame-Options SAMEORIGIN;add_header Content-Security-Policy "frame-ancestors 'self' domain1.com domain2.com domain3.com";

IIS - mee nke a site n'ịgbakwunye ihe ndị a na gị web.config faịlụ:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="SAMEORIGIN" />
      <add name="Content-Security-Policy" value="frame-ancestors 'self' domain1.com domain2.com domain3.com" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

Kwe ka Iframing ọdịnaya gị site na ngalaba Kaadị Wild

Ị nwekwara ike dee akara ngosi maka subdomains niile site na iji ya Content-Security-Policy Ntuziaka nzaghachi HTTP na ntuziaka ndị nna ochie. Nke a bụ ihe atụ nke Content-Security-Policy koodu kwesịrị imelite:

Content-Security-Policy: frame-ancestors 'self' *.yourdomain.com;

Apache – Gbanwee gị .htaccess faịlụ dị ka ndị a:

Header always set Content-Security-Policy "frame-ancestors 'self' *.yourdomain.com"

Nginx - Gbanwee ngọngọ nkesa gị dị ka ndị a:

add_header Content-Security-Policy "frame-ancestors 'self' *.domain1.com *.domain2.com *.domain3.com";

IIS - mee nke a site n'ịgbakwunye ihe ndị a na gị web.config faịlụ:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="Content-Security-Policy" value="frame-ancestors 'self' *.yourdomain.com" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

Douglas Karr

Douglas Karr bụ CMO Mepee ihe ọmụma na onye nchoputa nke Martech Zone. Douglas enyerela ọtụtụ mmalite MarTech aka nke ọma, nyere aka n'ịrụsi ọrụ ike nke ihe karịrị ijeri $ 5 na nnweta na ntinye ego nke Martech, ma na-aga n'ihu na-enyere ụlọ ọrụ aka n'imejuputa na imezi usoro ahịa na ahịa ha. Douglas bụ mgbanwe dijitalụ ama ama na mba ụwa na ọkachamara MarTech na ọkà okwu. Douglas bụkwa onye odee bipụtara nke ndu Dummie na akwụkwọ ndu azụmaahịa.

njikọ Articles

Gaa na bọtịnụ n'elu
nso

Achọpụtara ihe mgbochi

Martech Zone nwere ike ịnye gị ọdịnaya a n'efu n'ihi na anyị na-enweta saịtị anyị site na ego mgbasa ozi, njikọ ndị mmekọ, na nkwado. Ọ ga-amasị anyị ma ị ga-ewepụ ihe mgbochi mgbasa ozi gị ka ị na-elele saịtị anyị.