Frame Buster Buster ...需要破坏者代码
假设您不希望其他网站在 <iframe>
中构建"您的网站:
Let's say you don't want other sites to "frame" your site in an <iframe>
:
<iframe src="http://example.org"></iframe>
因此,您将反框架、框架破坏 JavaScript 插入到所有页面中:
So you insert anti-framing, frame busting JavaScript into all your pages:
/* break us out of any containing iframes */
if (top != self) { top.location.replace(self.location.href); }
太棒了!现在,您会自动破坏"或突破任何包含 iframe 的内容.除了一个小问题.
Excellent! Now you "bust" or break out of any containing iframe automatically. Except for one small problem.
事实证明,你的框架破坏代码可能会被破坏,如图所示:
<script type="text/javascript">
var prevent_bust = 0
window.onbeforeunload = function() { prevent_bust++ }
setInterval(function() {
if (prevent_bust > 0) {
prevent_bust -= 2
window.top.location = 'http://example.org/page-which-responds-with-204'
}
}, 1)
</script>
此代码执行以下操作:
- 每次浏览器通过
window.onbeforeunload
事件处理程序尝试离开当前页面时,都会增加一个计数器 - 通过
setInterval()
设置一个每毫秒触发一次的计时器,如果发现计数器增加,则将当前位置更改为攻击者控制的服务器 - 该服务器提供带有 HTTP 状态代码 204 的页面,这不会导致浏览器在任何地方导航
- increments a counter every time the browser attempts to navigate away from the current page, via the
window.onbeforeunload
event handler - sets up a timer that fires every millisecond via
setInterval()
, and if it sees the counter incremented, changes the current location to a server of the attacker's control - that server serves up a page with HTTP status code 204, which does not cause the browser to navigate anywhere
我的问题是——这更像是一个 JavaScript 谜题,而不是一个实际的问题——你如何才能打败破坏框架的破坏者?
My question is -- and this is more of a JavaScript puzzle than an actual problem -- how can you defeat the frame-busting buster?
我有一些想法,但在我的测试中没有任何效果:
I had a few thoughts, but nothing worked in my testing:
- 尝试通过
onbeforeunload = null
清除onbeforeunload
事件无效 - 添加
alert()
停止进程,让用户知道它正在发生,但不会以任何方式干扰代码;点击确定让破坏继续正常进行 - 我想不出任何方法来清除
setInterval()
计时器
- attempting to clear the
onbeforeunload
event viaonbeforeunload = null
had no effect - adding an
alert()
stopped the process let the user know it was happening, but did not interfere with the code in any way; clicking OK lets the busting continue as normal - I can't think of any way to clear the
setInterval()
timer
我不是一个 JavaScript 程序员,所以这是我对你的挑战:嘿,破坏者,你能破坏框架破坏破坏者吗?
I'm not much of a JavaScript programmer, so here's my challenge to you: hey buster, can you bust the frame-busting buster?
推荐答案
我不确定这是否可行 - 但如果你不能打破框架,为什么不只显示一个警告.例如,如果您的页面不是首页";创建一个尝试打破框架的 setInterval 方法.如果在 3 或 4 次尝试后您的页面仍然不是首页 - 创建一个覆盖整个页面(模式框)的 div 元素,其中包含一条消息和一个链接,例如...
I'm not sure if this is viable or not - but if you can't break the frame, why not just display a warning. For example, If your page isn't the "top page" create a setInterval method that tries to break the frame. If after 3 or 4 tries your page still isn't the top page - create a div element that covers the whole page (modal box) with a message and a link like...
您正在未经授权的框架窗口中查看此页面 -(等等等等……潜在的安全问题)
You are viewing this page in a unauthorized frame window - (Blah blah... potential security issue)
点击此链接解决此问题
不是最好的,但我看不出他们有什么办法可以摆脱这种情况.
Not the best, but I don't see any way they could script their way out of that.
相关文章