我一直在调查破帧代码,并且遇到了与相同来源相关的一些非常奇怪的行为政策,我无法理解。
I've been investigating frame breaking code recently and have come across some really bizarre behavior related to the same origins policy that I am having trouble understanding.
假设我在域A上有一个Breaker.html页面,在域B上有一个页面Container.html示例帧断路器代码将进入Breaker.html,如下所示:
Suppose I've got a page Breaker.html on domain A, and a page Container.html on domain B. The example frame breaker code would go into Breaker.html, like below:
if (top !== self) top.location.href = self.location.href;这将成功破坏Breaker.html的Container.html,但我不明白为什么它应该。从我阅读相同的起源政策来看, top.location 不应该 at all ,因为Container.html与其他域不同Breaker.html。甚至更奇怪,看起来top.location 只写:
This will successfully break Breaker.html out of Container.html, but I don't understand why it should. From my reading of the same origins policy, top.location shouldn't be accessible at all, since Container.html is on a different domain than Breaker.html. Even weirder, it appears that top.location write-only:
// Fails if Container.html is on a different domain than Breaker.html alert(top.location);这对我来说有问题,因为我正在尝试编写允许我的页面处于iframe,但仅当它与其父级位于同一域时(或者位于配置的允许域上)。但是,似乎无法确定这一点,因为相同的起源政策拒绝我访问父母的位置。
This is problematic to me because I'm trying to write code that allows my page to be in an iframe, but only if it's on the same domain as its parent (or is on a configured allowable domain) . However, it seems to be impossible to determine this, since the same origins policy denies me access to the parent's location.
所以我有两个问题,基本上:
So I've got two questions, basically:
为什么上述断帧器代码完全有效?
Why does the above frame breaker code work at all?
有没有办法有条件地破坏帧,或者唯一可以检查的是 top!== self ? (特别是,我希望能够阅读域名,以便我可以提供允许域名列表;只是检查我是否在同一个域中是不理想的。)
Is there any way to break frames conditionally, or is the only check one can do is whether top !== self? (In particular, I want to be able to read the domain, so that I can provide a list of allowable domains; simply checking whether I'm in the same domain or not would not be ideal.)
推荐答案
您对第1号的回答:在安全性方面,读取访问权限之间存在很大差异并写入访问权限。能够读取top.location.href是一个安全问题。能够写到top.location.href不是。
FOr your answer to number 1: In terms of security, there is a big difference between read access and write access. Being able to read top.location.href is a security problem. Being able to write to top.location.href is not.
至于你的问题的答案,我不知道javascript好足以确定,但有一个想法是假设如果读取top.location失败(检查异常),它就在另一个域上。
As for the answer to your question, I don't know javascript well enough to be sure, but one idea would be to assumine that if reading top.location fails (check for exceptions), it is on a different domain.
更多推荐
为什么断路器跨域工作,您是否可以有条件地使用断路器?
发布评论