javascript 检查网站是否不允许嵌入 iframe
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7422300/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Checking if a website doesn't permit iframe embed
提问by Matt De Leon
I am writing a simple lightbox-like plugin for my app, and I need to embed an iframe that is linked to an arbitrary page. The problem is, many web sites (for example, facebook, nytimes, and even stackoverflow) will check to see if is being embedded within a frame and if so, will refresh the page with itself as the parent page. This is a known issue, and I don't think there's anything that can be done about this. However, I would like the ability to know before hand if a site supports embed or not. If it doesn't, I'd like to open the page in a new tab/window instead of using an iframe.
我正在为我的应用程序编写一个简单的类似灯箱的插件,我需要嵌入一个链接到任意页面的 iframe。问题是,许多网站(例如,facebook、 nytimes 甚至 stackoverflow )会检查是否被嵌入到框架中,如果是,则将页面刷新为父页面。这是一个已知问题,我认为对此无能为力。但是,我希望能够事先知道站点是否支持嵌入。如果没有,我想在新选项卡/窗口中打开页面,而不是使用 iframe。
Is there a trick that allows me to check this in javascript?
有什么技巧可以让我在javascript中检查这个吗?
Maybe there is a server-side script that can check links to see if they permit an iframe embed?
也许有一个服务器端脚本可以检查链接以查看它们是否允许嵌入 iframe?
I am developing a browser extension, so there is an opportunity to do something very creative. My extension is loaded on every page, so I'm thinking there's a way to pass a parameter in the iframe url that can be picked up by the extension if it destroys the iframe. Then I can add the domain to a list of sites that don't support iframe embed. This may work since extensions aren't loaded within iframes. I will work on this, but in the meantime....
我正在开发一个浏览器扩展,所以有机会做一些非常有创意的事情。我的扩展程序加载在每个页面上,所以我想有一种方法可以在 iframe url 中传递一个参数,如果它破坏了 iframe,扩展程序可以选择该参数。然后我可以将该域添加到不支持 iframe 嵌入的站点列表中。这可能有效,因为 iframe 中未加载扩展。我会努力解决这个问题,但与此同时......
Clarification:
澄清:
I am willing to accept that there's no way to "bust" the "frame buster," i.e. I know that I can't display a page in an iframe that doesn't want to be in one. But I'd like for my app to fail gracefully, which means opening the link in a new window if iframe embed is not supported. Ideally, I'd like to check iframe embed support at runtime (javascript), but I can see a potential server-side solution using a proxy like suggested in the comments above. Hopefully, I can build a database of sites that don't allow iframe embed.
我愿意接受没有办法“破坏”“框架破坏者”,即我知道我不能在不想在一个 iframe 中显示的页面。但我希望我的应用程序正常失败,这意味着如果不支持 iframe 嵌入,请在新窗口中打开链接。理想情况下,我想在运行时检查 iframe 嵌入支持(javascript),但我可以看到使用代理的潜在服务器端解决方案,如上面评论中建议的那样。希望我可以建立一个不允许嵌入 iframe 的网站数据库。
回答by vinod
Check x-frame-options header by using following code
使用以下代码检查 x-frame-options 标头
$url = "http://stackoverflow.com";
$header = get_headers($url, 1);
echo $header["X-Frame-Options"];
If return value DENY, SAMEORIGIN or ALLOW-FROM then you can't use iframe with that url.
如果返回值是 DENY、SAMEORIGIN 或 ALLOW-FROM,则不能使用带有该 url 的 iframe。
回答by ars265
Probably pretty late but what you need to do is make a request, likely from your server and look for the x-frame-options header. If it's there at all you can just open a new tab because if it is there is is one of the following: DENY, SAMEORIGIN, ALLOW-FROM. In any of these cases it's likely that you don't have access to open it in an iframe.
可能很晚了,但您需要做的是发出请求,可能来自您的服务器并查找 x-frame-options 标头。如果它在那里你可以只打开一个新标签,因为如果它有以下之一:拒绝、相同来源、允许。在任何这些情况下,您可能都无权在 iframe 中打开它。
回答by T9b
This subject has been discussed forever on the web with a particularly interesting (failed) attempt here:
这个主题在网上一直被讨论过,这里有一个特别有趣(失败)的尝试:
Frame Buster Buster ... buster code needed
Frame Buster Buster ...需要buster代码
The bottom line is that even if you are able to construct a proxy that parses the contents of the page that you want in your iframe and removes the offending code before it is served to the iframe you may still come under "cease and desist" from the site if they get to hear about you doing it.
最重要的是,即使您能够构建一个代理来解析您想要在 iframe 中的页面内容并在将其提供给 iframe 之前删除有问题的代码,您仍然可能会受到“停止和停止”的影响网站,如果他们听说你这样做。
If you don't want your development to be widely available, you could probably get away with it. If you want your development to become popular, forget about it, and build a less underhand way of dealing with it.
如果你不希望你的开发被广泛使用,你可能会侥幸逃脱。如果您希望您的开发变得流行,请忘记它,并建立一种不那么卑鄙的处理方式。
Or develop it for mobile only... ;)
或仅针对移动设备开发... ;)
UPDATE:OK following on from your comment here's a bit of taster:
更新:好的,根据您的评论,这里有一些品尝者:
in javascript capture the click on the link
在javascript中捕获链接上的点击
$("a").click(function(e){
preventDefault(e); // make sure the click doesn't happen
// call a server side script using ajax and pass the URL this.href
// return either a true or false; true = iframe breakout
// set the target attribute of the link to "_blank" for new window (if true)
// set the target attribute of the link to "yourframename" for iframe (if false)
// only now load the page in the new window or iframe
});
server side in PHP
PHP中的服务器端
$d = file_get_contents($url); // $url is the url your sent from the browser
// now parse $d to find .top .parent etc... in the <head></head> block
// return true or false
