Frame Buster Buster ...需要破坏者代码

2022-01-30 00:00:00 iframe javascript html framebusting

假设您不希望其他网站在 <iframe> 中构建"您的网站:

Let's say you don't want other sites to "frame" your site in an <iframe>:

<iframe src="http://example.org"></iframe>

因此,您将反框架、框架破坏 JavaScript 插入到所有页面中:

So you insert anti-framing, frame busting JavaScript into all your pages:

/* break us out of any containing iframes */
if (top != self) { top.location.replace(self.location.href); }

太棒了!现在,您会自动破坏"或突破任何包含 iframe 的内容.除了一个小问题.

Excellent! Now you "bust" or break out of any containing iframe automatically. Except for one small problem.

事实证明,你的框架破坏代码可能会被破坏,如图所示:

<script type="text/javascript">
    var prevent_bust = 0  
    window.onbeforeunload = function() { prevent_bust++ }  
    setInterval(function() {  
      if (prevent_bust > 0) {  
        prevent_bust -= 2  
        window.top.location = 'http://example.org/page-which-responds-with-204'  
      }  
    }, 1)  
</script>

此代码执行以下操作:

  • 每次浏览器通过 window.onbeforeunload 事件处理程序尝试离开当前页面时,都会增加一个计数器
  • 通过 setInterval() 设置一个每毫秒触发一次的计时器,如果发现计数器增加,则将当前位置更改为攻击者控制的服务器
  • 该服务器提供带有 HTTP 状态代码 204 的页面,这不会导致浏览器在任何地方导航
  • increments a counter every time the browser attempts to navigate away from the current page, via the window.onbeforeunload event handler
  • sets up a timer that fires every millisecond via setInterval(), and if it sees the counter incremented, changes the current location to a server of the attacker's control
  • that server serves up a page with HTTP status code 204, which does not cause the browser to navigate anywhere

我的问题是——这更像是一个 JavaScript 谜题,而不是一个实际的问题——你如何才能打败破坏框架的破坏者?

My question is -- and this is more of a JavaScript puzzle than an actual problem -- how can you defeat the frame-busting buster?

我有一些想法,但在我的测试中没有任何效果:

I had a few thoughts, but nothing worked in my testing:

  • 尝试通过 onbeforeunload = null 清除 onbeforeunload 事件无效
  • 添加 alert() 停止进程,让用户知道它正在发生,但不会以任何方式干扰代码;点击确定让破坏继续正常进行
  • 我想不出任何方法来清除 setInterval() 计时器
  • attempting to clear the onbeforeunload event via onbeforeunload = null had no effect
  • adding an alert() stopped the process let the user know it was happening, but did not interfere with the code in any way; clicking OK lets the busting continue as normal
  • I can't think of any way to clear the setInterval() timer

我不是一个 JavaScript 程序员,所以这是我对你的挑战:嘿,破坏者,你能破坏框架破坏破坏者吗?

I'm not much of a JavaScript programmer, so here's my challenge to you: hey buster, can you bust the frame-busting buster?

推荐答案

我不确定这是否可行 - 但如果你不能打破框架,为什么不只显示一个警告.例如,如果您的页面不是首页";创建一个尝试打破框架的 setInterval 方法.如果在 3 或 4 次尝试后您的页面仍然不是首页 - 创建一个覆盖整个页面(模式框)的 div 元素,其中包含一条消息和一个链接,例如...

I'm not sure if this is viable or not - but if you can't break the frame, why not just display a warning. For example, If your page isn't the "top page" create a setInterval method that tries to break the frame. If after 3 or 4 tries your page still isn't the top page - create a div element that covers the whole page (modal box) with a message and a link like...

您正在未经授权的框架窗口中查看此页面 -(等等等等……潜在的安全问题)

You are viewing this page in a unauthorized frame window - (Blah blah... potential security issue)

点击此链接解决此问题

不是最好的,但我看不出他们有什么办法可以摆脱这种情况.

Not the best, but I don't see any way they could script their way out of that.

相关文章