问题描述

位于 https://github.com/OfficeDev/office-js-docs/blob/master/docs/develop/privacy-and-security.md#tips-to-prevent-clickjacking 通过让用户在执行潜在危险的操作之前进行确认，列出了一系列防止点击劫持的方法.

The documentation at https://github.com/OfficeDev/office-js-docs/blob/master/docs/develop/privacy-and-security.md#tips-to-prevent-clickjackinglists a bunch of ways to help prevent clickjacking, by having the user confirm before performing potentially dangerous actions.

我想知道在调用Office.initialize之前完全不呈现页面上的任何UI是否一样安全?还是攻击者可以通过某种方式在其页面上对我的加载项进行框架化，并以某种方式将Office SDK替换为恶意版本?

I was wondering if it would be just as safe to not render any UI on the page at all, until Office.initialize is called? Or is there a way for an attacker to iframe my add-in on their page and somehow replace the Office SDK with a malicious version?

推荐答案

是的，恶意攻击者可能试图模仿加载项运行时.最好确保用户确认最佳实践中所述的敏感动作.如果您的加载项要求用户登录，则这是获取有助于缓解的用户输入的一种方法.

Yes, a malicious attacker could attempt to emulate the add-in runtime. It is best to make sure the user confirms sensitive actions as described on the best practices. If your add-in requires the user to login, that is one way of getting user input that would help mitigate.

这篇关于使用Office.js防止点击劫持的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！