本文介绍了使用sandbox =“allow-scripts allow-popups allow-same-origin”是否安全? on< iframe /&gt ;?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我在我的应用中动态创建iframe,结果如下所示:

I'm dynamically creating an iframe in my app, result looks as follows:

<iframe src="blob:http%3A//localhost%3A9292/0194dfed-6255-4029-a767-c60156f3d359" 
        scrolling="no" sandbox="allow-scripts allow-popups allow-same-origin" 
        name="sandbox" style="width: 100%; height: 100%; border: 0px;"></iframe>

拥有这样的沙盒配置是否安全(特别是允许将iframe内容视为来自相同的来源)?

Is it safe to have such sandbox configuration (especially allowing the iframe content to be treated as being from the same origin)?

推荐答案

allow-same-origin 不安全。这将使iframe有可能访问父数据(例如本地存储)

allow-same-origin is not safe. That will give the iframe the possibility to access parent data (also local storage for example)

此外 allow-same-origin 将允许iframe向父亲的api发出ajax请求,这也是有害的。

Also allow-same-origin will allow the iframe to make ajax requests to the parent's apis which can also be harmful.

但是,对于访问父数据的iframe,它还需要执行脚本,所以 allow-same-origin 没有 allow-scripts 是无害的

However, for an iframe to access parent's data, it also requires to execute scripts, so allow-same-origin without allow-scripts is harmless

对于 allow-popups ,iframe可以做的事情并不多,除了它可以打开其他网址

As for the allow-popups, there is not much unsafe stuff an iframe can do, except the fact that it can open other urls

这篇关于使用sandbox =“allow-scripts allow-popups allow-same-origin”是否安全? on&lt; iframe /&gt ;?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

10-12 09:47