问题描述
我在我的应用中动态创建iframe,结果如下所示:
I'm dynamically creating an iframe in my app, result looks as follows:
<iframe src="blob:http%3A//localhost%3A9292/0194dfed-6255-4029-a767-c60156f3d359"
scrolling="no" sandbox="allow-scripts allow-popups allow-same-origin"
name="sandbox" style="width: 100%; height: 100%; border: 0px;"></iframe>
拥有这样的沙盒配置是否安全(特别是允许将iframe内容视为来自相同的来源)?
Is it safe to have such sandbox configuration (especially allowing the iframe content to be treated as being from the same origin)?
推荐答案
allow-same-origin 不安全。这将使iframe有可能访问父数据(例如本地存储)
allow-same-origin is not safe. That will give the iframe the possibility to access parent data (also local storage for example)
此外 allow-same-origin 将允许iframe向父亲的api发出ajax请求,这也是有害的。
Also allow-same-origin will allow the iframe to make ajax requests to the parent's apis which can also be harmful.
但是,对于访问父数据的iframe,它还需要执行脚本,所以 allow-same-origin 没有 allow-scripts 是无害的
However, for an iframe to access parent's data, it also requires to execute scripts, so allow-same-origin without allow-scripts is harmless
对于 allow-popups ,iframe可以做的事情并不多,除了它可以打开其他网址
As for the allow-popups, there is not much unsafe stuff an iframe can do, except the fact that it can open other urls
这篇关于使用sandbox =“allow-scripts allow-popups allow-same-origin”是否安全? on< iframe /> ;?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!