框架克星克星…需要克星码

理查德Itachi2020-03-16

假设您不希望其他网站将您的网站“框”为<iframe>：

<iframe src="http://example.org"></iframe>

因此，您可以在所有页面中插入反框架，框架破坏JavaScript：

/* break us out of any containing iframes */
if (top != self) { top.location.replace(self.location.href); }

优秀！现在，您可以自动“破坏”或突破包含iframe的任何内容。除了一个小问题。

事实证明，您的框架破坏代码可以被破坏，如下所示：

<script type="text/javascript">
    var prevent_bust = 0  
    window.onbeforeunload = function() { prevent_bust++ }  
    setInterval(function() {  
      if (prevent_bust > 0) {  
        prevent_bust -= 2  
        window.top.location = 'http://example.org/page-which-responds-with-204'  
      }  
    }, 1)  
</script>

此代码执行以下操作：

每当浏览器尝试通过window.onbeforeunload事件处理程序导航到当前页面之外时，都会增加一个计数器
设置一个计时器，通过触发每毫秒触发一次的计时器，setInterval()如果看到计数器增加，则将当前位置更改为攻击者控制的服务器
that server serves up a page with HTTP status code 204, which does not cause the browser to navigate anywhere

My question is -- and this is more of a JavaScript puzzle than an actual problem -- how can you defeat the frame-busting buster?

I had a few thoughts, but nothing worked in my testing:

attempting to clear the onbeforeunload event via onbeforeunload = null had no effect
adding an alert() stopped the process let the user know it was happening, but did not interfere with the code in any way; clicking OK lets the busting continue as normal
I can't think of any way to clear the setInterval() timer

I'm not much of a JavaScript programmer, so here's my challenge to you: hey buster, can you bust the frame-busting buster?

猴子神乐2020/03/16 14:59:26

Use htaccess to avoid high-jacking frameset, iframe and any content like images.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://www\.yoursite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule ^(.*)$ /copyrights.html [L]

This will show a copyright page instead of the expected.

JinJinGreen2020/03/16 14:59:26

If you look at the values returned by setInterval() they are usually single digits, so you can usually disable all such interrupts with a single line of code:

for (var j = 0 ; j < 256 ; ++j) clearInterval(j)

飞云Green2020/03/16 14:59:26

Well, you can modify the value of the counter, but that is obviously a brittle solution. You can load your content via AJAX after you have determined the site is not within a frame - also not a great solution, but it hopefully avoids firing the on beforeunload event (I am assuming).

Edit: Another idea. If you detect you are in a frame, ask the user to disable javascript, before clicking on a link that takes you to the desired URL (passing a querystring that lets your page know to tell the user that they can re-enable javascript once they are there).

Edit 2: Go nuclear - if you detect you are in a frame, just delete your document body content and print some nasty message.

Edit 3: Can you enumerate the top document and set all functions to null (even anonymous ones)?

LEYEvaL2020/03/16 14:59:26

If you add an alert right after the buster code, then the alert will stall the javascript thread, and it will let the page load. This is what StackOverflow does, and it busts out of my iframes, even when I use the frame busting buster. It also worked with my simple test page. This has only been tested in Firefox 3.5 and IE7 on windows.

Code:

<script type="text/javascript">
if (top != self){
  top.location.replace(self.location.href);
  alert("for security reasons bla bla bla");
}
</script>

JimDavaid猿2020/03/16 14:59:25

if (top != self) {
  top.location.replace(location);
  location.replace("about:blank"); // want me framed? no way!
}

樱神奇神无2020/03/16 14:59:25

FWIW，目前大多数浏览器支持的X框选项：否认指令，当脚本被禁用它也可使用。

IE8:
http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx

Firefox (3.6.9)
https://bugzilla.mozilla.org/show_bug.cgi?id=475530
https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header

Chrome/Webkit
http://blog.chromium.org/2010/01/security-in-depth-new-security-features.html
http://trac.webkit.org/changeset/42333

西里Eva2020/03/16 14:59:25

想到了这一点，它似乎至少在Firefox和Opera浏览器中有效。

if(top != self) {
 top.onbeforeunload = function() {};
 top.location.replace(self.location.href);
}

小胖Gil2020/03/16 14:59:25

考虑到当前为iframe引入沙箱的HTML5标准，当攻击者使用沙箱时，可以禁用此页面中提供的所有框架无效代码，因为它限制了iframe的作用：

allow-forms: Allow form submissions.
allow-popups: Allow opening popup windows.
allow-pointer-lock: Allow access to pointer movement and pointer lock.
allow-same-origin: Allow access to DOM objects when the iframe loaded form same origin
allow-scripts: Allow executing scripts inside iframe
allow-top-navigation: Allow navigation to top level window

请参阅：http : //www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-sandbox

现在，考虑攻击者使用以下代码在iframe中托管您的网站：

<iframe src="URI" sandbox></iframe>

然后，所有JavaScript框架无效代码都会失败。

在检查了所有帧总线代码之后，在所有情况下仅此防御有效：

<style id="antiClickjack">body{display:none !important;}</style>
<script type="text/javascript">
   if (self === top) {
       var antiClickjack = document.getElementById("antiClickjack");
       antiClickjack.parentNode.removeChild(antiClickjack);
   } else {
       top.location = self.location;
   }
</script>

最初由Gustav Rydstedt，Elie Bursztein，Dan Boneh和Collin Jackson提出（2010）

泡芙阿飞斯丁2020/03/16 14:59:25

我不确定这是否可行-但是，如果您无法打破框架，为什么不显示警告。例如，如果您的页面不是“首页”，则创建一个setInterval方法来尝试破坏框架。如果经过3或4次尝试后，您的页面仍不是首页，请创建一个div元素，该元素会覆盖整个页面（模式框），并显示一条消息和一个链接，例如...

您正在未经授权的框架窗口中查看此页面-（等等）潜在的安全问题）

点击此链接可解决此问题

不是最好的，但是我看不出他们可以用哪种方式来摆脱困境。

Newest Answer

HTML5 Drag & Drop 拖动时更改图标/光标

5 Answer

如何完全卸载 Node.js，然后从头重新安装 (Mac OS X)

NUXT引入tailwindcss报错Error: Expected an opening square bracket.

1 Answer