Iframe Breaking: Otu esi akwụsị Iframing nke ọdịnaya gị n'enwetaghị ikike
Otu onye ọbịa na saịtị m gwara m otu oge mgbe ọ pịrị na otu n'ime njikọ m Twitter; e wetara ya na saịtị m nwere nnukwu popup na ịdọ aka ná ntị koodu obi ọjọọ. Nke ahụ ezuola imenye mmadụ ụjọ, ya mere m malitere ime ụfọdụ nnwale. Ọ nweghị ihe dị njọ na saịtị m - nsogbu bụ njikọ ahụ.
Njikọ dị na saịtị ọzọ mepụtara ngwá ọrụ dị n'elu nke gbara ndị mmadụ ume ka ha pịa njikọ ọjọọ mgbe ha na-ebunye saịtị m na iframe n'okpuru. Nye ọtụtụ ndị mmadụ, saịtị m nwere ike ịdị ka ọ na-agbasa koodu ọjọọ. Agaghị m asị na-amasị m saịtị ọ bụla nke na-ebuba saịtị m n'ime iframe, yabụ m mere ihe geek ọ bụla nwere ezi uche ga-eme… eburula m ihe nbibi.
Iframe saịtị gị anaghị adị njọ mgbe niile, n'agbanyeghị. Anyị kesara ngwa ọrụ n'oge na-adịbeghị anya, Naanị, ịgbakwunye oku-na-eme ihe (CTA) na njikọ weebụsaịtị ọ bụla ị na-ekekọrịta. Ọ na-eme nke a site n'itinye saịtị gị niile n'ime iframe na itinye div n'ime ọdịnaya gị site na iji oku na-eme ihe.
Mana enwere m mmasị na ọdịnaya m na mbọ m tinyegoro Martech Zone, Ya mere, achọghị m ka onye ọ bụla mee ka ọdịnaya m nwee iframe, ọbụlagodi na ikpo okwu njikọ njikọ. N'ime nyocha ụfọdụ, enwere ụzọ ole na ole isi edozi nke a.
Otu esi akwụsị iframing ọdịnaya gị na JavaScript
Koodu Javascript a na-enyocha ma mpio dị ugbu a (self
) abụghị mpio kachasị elu (top
). Ọ bụrụ na ọ bụghị, nke a pụtara na ibe ahụ dị na etiti, iframe, ma ọ bụ ihe yiri ya, na edemede ahụ na-atụgharị windo kachasị elu gaa na URL nke windo ugbu a. Nke a nke ọma na-apụta nke iframe.
<script type='text/javascript'>
if (top !== self) top.location.href = self.location.href;
</script>
E nwere ọtụtụ ihe adịghị mma na usoro a:
- Ndabere na JavaScript: Ọ bụrụ na onye ọrụ nwere Javascript nwere nkwarụ, usoro a agaghị arụ ọrụ.
- Oge igbu oge: Enwere ike inwe ntakịrị igbu oge tupu Javascript emee, mgbe a ka nwere ike ịhụ ụdị saịtị gị nke etinyere.
- Mgbochi ndị sitere na mba ọzọ: N'ọnọdụ ụfọdụ, otu amụma mmalite nwere ike igbochi edemede a ịrụ ọrụ dịka ebumnobi. Ọ bụrụ na akwụkwọ nne na nna dị na ngalaba dị iche, ọ nwere ike ọ gaghị enwe ike ịnweta
top.location.href
. - Enwere ike maka Frame-Busting-Busters: Enwekwara scripts (a na-akpọ frame-busting-busters) nke nwere ike igbochi script-busting script ịrụ ọrụ.
Ụzọ kachasị mma bụ iji isi okwu nzaghachi HTTP.
Nhọrọ X-Frame na Amụma Nchekwa Ọdịnaya
ma X-Frame-Options
na Content-Security-Policy
(CSP) bụ isi okwu nzaghachi HTTP ejiri kwalite nchekwa nke weebụsaịtị. Ha nke ọ bụla na-eje ozi dịtụ iche ma nwee ọkwa mgbanwe dị iche iche.
X-Frame-Options
bụ nkụnye eji isi mee HTTP merela agadi emebere iji jikwaa ma saịtị gị nwere ike itinye na a <frame>
, <iframe>
, <embed>
, ma ọ bụ <object>
na saịtị ọzọ. O nwere ntụzịaka atọ nwere ike ime:
DENY
- Enweghị ike igosipụta ibe ahụ na etiti, n'agbanyeghị saịtị na-anwa ime ya.SAMEORIGIN
– The page nwere ike na-egosipụta na a etiti na otu si malite dị ka ibe n'onwe ya.ALLOW-FROM uri
- Enwere ike igosipụta ibe ahụ naanị na etiti na mbido akọwapụtara.
Otú ọ dị, X-Frame-Options
nwere oke n'ihi na ọ nweghị ike ijikwa ọnọdụ dị mgbagwoju anya karịa, dị ka ikwe ka imepụta ihe sitere na mmalite dị iche iche ma ọ bụ iji wildcards maka subdomains. Ọ bụghị ihe nchọgharị niile na-akwado ya ALLOW-FROM
ntuziaka.
Content-Security-Policy
, n'aka nke ọzọ, bụ ihe mgbanwe na ike HTTP nkụnye eji isi mee. Mgbe ọ nwere ike ime ihe niile X-Frame-Options
nwere ike ime na ọtụtụ ihe ndị ọzọ, ebumnuche ya bụ isi bụ igbochi ọtụtụ mwakpo ịgba ogbugba koodu, gụnyere ịde ederede saịtị (XSS) na clickjacking. Ọ na-arụ ọrụ site na ịkọwapụta ndepụta ọcha nke isi mmalite ọdịnaya ntụkwasị obi (edemede, ụdị, onyonyo, wdg).
Maka njikwa okpokolo agba, CSP na-eji ya frame-ancestors
ntuziaka. Ị nwere ike ezipụta ọtụtụ isi mmalite, gụnyere ọtụtụ ngalaba na ngalaba subdomains. Nke a bụ ọmụmaatụ:
cssCopy codeContent-Security-Policy: frame-ancestors 'self' yourdomain.com *.domain2.com;
Nke a ga-ekwe ka e kee ibe ahụ na saịtị nke ya ('self'
), na yourdomain.com
, na ọ bụla subdomain nke domain2.com
.
A na-atụ aro CSP ka ọ bụrụ nnọchi X-Frame-Options
, ebe ọ bụ na ọ nwere ike ijikwa ihe niile X-Frame-Options
nwere ike ime, na ọtụtụ ihe ndị ọzọ. Ọ bụ ezie na ọtụtụ ihe nchọgharị ọgbara ọhụrụ na-akwado CSP, a ka nwere ike ịnwe ụfọdụ ihe nchọgharị ochie ma ọ bụ nke na-adịkarịghị akwadoghị ya nke ọma.
Otu esi akwụsị iframing ọdịnaya gị na HTML
Enwere mkpado meta mkpado-Nchekwa-Amụma enwere ike ibunye nke na-egbochi ikike ịmebi ọdịnaya gị:
<meta http-equiv="Content-Security-Policy" content="frame-ancestors 'self' yourdomain.com">
Ịdị irè nke mkpado meta HTML nwere oke n'ihi na ọ bụghị ihe nchọgharị niile na-asọpụrụ Content-Security-Policy
mgbe atọrọ na iji mkpado meta.
Otu esi akwụsị iframing ọdịnaya gị na nkụnye eji isi mee HTTP
Ọ ka mma iji isi ihe HTTP X-Frame-Options
or Content-Security-Policy
ịchịkwa Framing. Nhọrọ ndị a nwere ntụkwasị obi karịa, yana nchekwa, ma na-arụ ọrụ ọbụlagodi na Javascript nwere nkwarụ. Ekwesịrị iji usoro Javascript naanị dị ka ebe ikpeazụ ma ọ bụrụ na ị nweghị njikwa na sava ahụ ka ịtọọ nkụnye eji isi mee HTTP. Maka ihe atụ ọ bụla, dochie yourdomain.com
na ngalaba gị n'ezie.
Apache – Gbanwee gị .htaccess
faịlụ dị ka ndị a:
Header always set X-Frame-Options SAMEORIGIN
Header always set Content-Security-Policy "frame-ancestors 'self' yourdomain.com"
Nginx - Gbanwee ngọngọ nkesa gị dị ka ndị a:
add_header X-Frame-Options SAMEORIGIN;
add_header Content-Security-Policy "frame-ancestors 'self' yourdomain.com";
IIS - mee nke a site n'ịgbakwunye ihe ndị a na gị web.config
faịlụ:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="frame-ancestors 'self' yourdomain.com" />
</customHeaders>
</httpProtocol>
</system.webServer>
WordPress - mee nke a site na ịgbakwunye koodu a na faịlụ function.php gị:
function add_security_headers() {
header('X-Frame-Options: SAMEORIGIN');
header("Content-Security-Policy: frame-ancestors 'self' yourdomain.com");
}
add_action('send_headers', 'add_security_headers');
Nhazi ndị a ga-ahapụ naanị ka itinye ibe gị n'ime iframes na ngalaba kpọmkwem ị ezipụtara, ọ bụghị na ngalaba subdomains ọ bụla. Ọ bụrụ na ịchọrọ ịhapụ ụfọdụ subdomains, ị ga-edepụta ha nke ọma, dịka subdomain1.yourdomain.com
subdomain2.yourdomain.com
, were gabazie.
Kwe ka Iframe ọdịnaya gị site na ọtụtụ ngalaba
Ị nwere ike iji isi nzaghachi HTTP Content-Security-Policy na ntuziaka ndị nna ochie kọwaa ọtụtụ ngalaba. Oghere kwesịrị ikewapụ ngalaba ọ bụla. Nke a bụ ọmụmaatụ:
Content-Security-Policy: frame-ancestors 'self' domain1.com domain2.com domain3.com;
Apache – Gbanwee gị .htaccess
faịlụ dị ka ndị a:
Header always set X-Frame-Options SAMEORIGIN
Header always set Content-Security-Policy "frame-ancestors 'self' domain1.com domain2.com domain3.com"
Nginx - Gbanwee ngọngọ nkesa gị dị ka ndị a:
add_header X-Frame-Options SAMEORIGIN;
add_header Content-Security-Policy "frame-ancestors 'self' domain1.com domain2.com domain3.com";
IIS - mee nke a site n'ịgbakwunye ihe ndị a na gị web.config
faịlụ:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
<add name="Content-Security-Policy" value="frame-ancestors 'self' domain1.com domain2.com domain3.com" />
</customHeaders>
</httpProtocol>
</system.webServer>
Kwe ka Iframing ọdịnaya gị site na ngalaba Kaadị Wild
Ị nwekwara ike dee akara ngosi maka subdomains niile site na iji ya Content-Security-Policy
Ntuziaka nzaghachi HTTP na ntuziaka ndị nna ochie. Nke a bụ ihe atụ nke Content-Security-Policy
koodu kwesịrị imelite:
Content-Security-Policy: frame-ancestors 'self' *.yourdomain.com;
Apache – Gbanwee gị .htaccess
faịlụ dị ka ndị a:
Header always set Content-Security-Policy "frame-ancestors 'self' *.yourdomain.com"
Nginx - Gbanwee ngọngọ nkesa gị dị ka ndị a:
add_header Content-Security-Policy "frame-ancestors 'self' *.domain1.com *.domain2.com *.domain3.com";
IIS - mee nke a site n'ịgbakwunye ihe ndị a na gị web.config
faịlụ:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="frame-ancestors 'self' *.yourdomain.com" />
</customHeaders>
</httpProtocol>
</system.webServer>