javascript 如何禁止框架
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4419883/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to forbid framing
提问by Trufa
I have recently noticed that stack overflow "for security reasons" does not allow framing.
我最近注意到堆栈溢出“出于安全原因”不允许框架。
1) How was this done? (Not is SO specific case! I mean the technique/language etc, for some reason I guess is js)
1)这是怎么做的?(不是那么具体的情况!我的意思是技术/语言等,出于某种原因,我猜是 js)
2) Is it actually avoiding it or just a warning (sort of like client side validation)
2)它实际上是在避免它还是只是一个警告(有点像客户端验证)
3) Should this always be done or are there specific reasons for doing this and is not necesary in most of the cases (this is the first time I've seen it)
3)是否应该始终这样做,或者是否有这样做的具体原因并且在大多数情况下不是必需的(这是我第一次看到它)
Thanks in advance!!!
提前致谢!!!
采纳答案by Michael Madsen
1) Frame busting is always done on the client: since the server is never told that a page is requested to be used in a frame, it has to be done client-side. Recent browsers support a special HTTP header called X-Frame-Optionsto prevent displaying a page in a frame, but for removing the frames or for older browser versions, you need Javascript. (Thanks to ide for pointing this out!)
1) Frame busting 总是在客户端完成:因为服务器永远不会被告知页面被请求在一个框架中使用,它必须在客户端完成。最近的浏览器支持称为X-Frame-Options的特殊 HTTP 标头以防止在框架中显示页面,但要删除框架或旧浏览器版本,您需要 Javascript。(感谢 ide 指出这一点!)
2) Assuming you don't use the HTTP header, then if Javascript is turned off, then the frame will stay. There's no way around that, since it has to happen client-side.
2) 假设您不使用 HTTP 标头,那么如果关闭 Javascript,则框架将保留。没有办法解决这个问题,因为它必须发生在客户端。
3) It was actually fairly common some years ago, although it seems most sites have stopped using it by now. One reason you might still use it is to prevent clickHymaning.
3)几年前它实际上相当普遍,尽管现在大多数网站似乎已经停止使用它。您可能仍然使用它的原因之一是为了防止点击劫持。
Now, it just so happens that frame busting can be busted, and there's actually an SO questionabout how frame-busting busters can be busted - SO is currently using this kind of anti-anti-frame busting.
现在,碰巧可以破坏 frame busting,实际上有一个关于如何破坏 frame busting buster 的问题- SO 目前正在使用这种反反框架破坏。
(Of course, it could be the case that this anti-anti-frame busting can itself be busted, in which case there might be a way to bust the anti-anti-frame-busting buster, and I'm sure you see where this is going.)
(当然,也有可能这种反反框架破坏本身就可以被破坏,这种情况下可能有办法破坏反反框架破坏,我相信你看到哪里了这是去。)
回答by epascarello
See this post on frame breakers: http://www.codinghorror.com/blog/2009/06/we-done-been-framed.html
请参阅有关框架断路器的这篇文章:http: //www.codinghorror.com/blog/2009/06/we-done-been-framed.html
回答by Austin Lin
Have you tried: http://www.cryer.co.uk/resources/javascript/script1.htmI would assume SO is using javascript to accomplish it meaning that it could be bypassed by a user who dosen't have javascript enabled or maybe by sometime of advanced on the fly html/javascript modification. I believe it is completely client side.
您是否尝试过:http: //www.cryer.co.uk/resources/javascript/script1.htm我认为 SO 正在使用 javascript 来完成它,这意味着它可以被没有启用 javascript 的用户绕过,或者也许是在某个时候进行了动态 html/javascript 修改。我相信这完全是客户端。
