可以阻止我们的网站在另一个域的框架集或IFrame中运行?

时间:2022-08-23 10:20:17

We've been having an problem recently where other sites are running our e-commerce site inside a frameset where our site (with the offenders affiliate id tacked on) is the only content in a single full width frame. So essentially it looks and feels like our site with their URL at the top. We can cut off their affiliate id, which would make it pointless for them to do, but this doesn't prevent future offenders from doing the same thing until we find out about it.

我们最近遇到了一个问题,其他网站在我们的网站集中运行我们的电子商务网站,我们的网站(违规者附加了ID)是单个全宽框架中的唯一内容。所以基本上它看起来和感觉就像我们的网站顶部的URL。我们可以切断他们的联盟会员身份,这会让他们没有意义,但这并不能阻止未来的犯罪者在我们发现之前做同样的事情。

Is there a generic way (through JavaScript that appears on every page perhaps?) to prevent this from happening? Note that adding targets to to all links is not feasible, but adding a snippet of JS to all pages is, since the header and footer portions are shared sitewide from a single source.

有没有通用的方法(通过每个页面上可能出现的JavaScript?)来防止这种情况发生?请注意,向所有链接添加目标是不可行的,但是向所有页面添加JS片段是因为页眉和页脚部分是从单个源共享的。

Another possibility would be at the Apache level (if there is anything we could do server side) as we do pass all requests through mod-rewrite.

另一种可能性是在Apache级别(如果有任何我们可以做的服务器端),因为我们通过mod-rewrite传递所有请求。

Note that it would be essential to sill allow pages to load inside an IFrame if the parent page originates from our domain, as we make valid use of IFrames

请注意,如果父页面来自我们的域,则必须在允许页面加载IFrame内部,因为我们有效地使用了IFrame

4 个解决方案

#1


I believe the proper modern method to achieve this is with The X-Frame-Options response header.

我相信实现这一目标的正确现代方法是使用X-Frame-Options响应头。

From the MDN:

来自MDN:

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

X-Frame-Options HTTP响应头可用于指示是否应允许浏览器在框架或iframe中呈现页面。站点可以通过确保其内容未嵌入其他站点来使用此功能来避免点击劫持攻击。

Take a look at: How to prevent IFRAME from redirecting top-level window

看一下:如何防止IFRAME重定向顶层窗口

#2


I've heard of solutions to this problem being referred to as a "frame popper script". A quick google comes up with this thread. Looks like this is one of the simplest:

我听说过这个问题的解决方案被称为“框架popper脚本”。一个快速的谷歌出现了这个线程。看起来这是最简单的之一:

if (window != top) top.location.href = location.href; 

#3


Take a look at this article. It offers a fairly simple solution for detecting frames and breaking out of them.

看看这篇文章。它为检测帧和突破帧提供了一个相当简单的解决方案。

How to Break Out of Frames with JavaScript

如何使用JavaScript突破框架

In addition, I would take it one step further. Whenever you detect a frame, grab the affiliate ID of the offending site framer, and push that to the server with AJAX along with the URL they are using. Then, either automatically or manually, you can verify that they are framing your site, and cancel their affiliate code one at a time.

另外,我会更进一步。每当您检测到一个帧时,请获取有问题的站点成帧器的联属会员ID,然后使用AJAX以及他们使用的URL将其推送到服务器。然后,无论是自动还是手动,您都可以验证他们是否正在构建您的网站,并一次取消一个联盟代码。

#4


Just guessing here...but what if you use javascript to call your parent window to access its document object ? You could check if its not null, and if there is a parent window (meaning a frame loaded your site), you could hide all your html through javascript...

只是在这里猜测...但是如果你使用javascript调用你的父窗口来访问它的文档对象呢?您可以检查它是否为空,如果有一个父窗口(意味着一个框架加载了您的网站),您可以通过javascript隐藏所有的HTML ...

#1


I believe the proper modern method to achieve this is with The X-Frame-Options response header.

我相信实现这一目标的正确现代方法是使用X-Frame-Options响应头。

From the MDN:

来自MDN:

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

X-Frame-Options HTTP响应头可用于指示是否应允许浏览器在框架或iframe中呈现页面。站点可以通过确保其内容未嵌入其他站点来使用此功能来避免点击劫持攻击。

Take a look at: How to prevent IFRAME from redirecting top-level window

看一下:如何防止IFRAME重定向顶层窗口

#2


I've heard of solutions to this problem being referred to as a "frame popper script". A quick google comes up with this thread. Looks like this is one of the simplest:

我听说过这个问题的解决方案被称为“框架popper脚本”。一个快速的谷歌出现了这个线程。看起来这是最简单的之一:

if (window != top) top.location.href = location.href; 

#3


Take a look at this article. It offers a fairly simple solution for detecting frames and breaking out of them.

看看这篇文章。它为检测帧和突破帧提供了一个相当简单的解决方案。

How to Break Out of Frames with JavaScript

如何使用JavaScript突破框架

In addition, I would take it one step further. Whenever you detect a frame, grab the affiliate ID of the offending site framer, and push that to the server with AJAX along with the URL they are using. Then, either automatically or manually, you can verify that they are framing your site, and cancel their affiliate code one at a time.

另外,我会更进一步。每当您检测到一个帧时,请获取有问题的站点成帧器的联属会员ID,然后使用AJAX以及他们使用的URL将其推送到服务器。然后,无论是自动还是手动,您都可以验证他们是否正在构建您的网站,并一次取消一个联盟代码。

#4


Just guessing here...but what if you use javascript to call your parent window to access its document object ? You could check if its not null, and if there is a parent window (meaning a frame loaded your site), you could hide all your html through javascript...

只是在这里猜测...但是如果你使用javascript调用你的父窗口来访问它的文档对象呢?您可以检查它是否为空,如果有一个父窗口(意味着一个框架加载了您的网站),您可以通过javascript隐藏所有的HTML ...