问题描述
我有一个包含iframe的页面。 iframe的页面和来源位于不同的域中。在iframe中,我使用了一个名为CuteEditor的富文本编辑器(结果证明它不那么可爱)。 CuteEditor中有一些javascript函数试图访问文档,但浏览器拒绝访问,因为它们不在同一个域中。
这是确切的错误:
编辑javascript是不可能的,因为它已经被修改和混淆,因此所有变量名都是神秘的。
使用不同的编辑器目前是不可能的,因为这是一个工作项目,这是我被告知要使用的编辑器。
如果子iframe是从不同的域加载,然后它将无法访问父页面或DOM。
然而,仍有一个可能的漏洞给man-in-the - 中间攻击如下。假设您的页面加载并且iframe转到
-
首先重定向到
-
这是需要中间人攻击的步骤。攻击者必须能够在用户和yoursite.com之间进行访问,或者控制DNS查找的答案。这比听起来容易 - 任何对公共WiFi接入点拥有管理控制权的人都可以这样做(想想星巴克,酒店,机场)。目标是提供,而不是您的实际网站。
-
然后,攻击者可以从(假的)提供他们喜欢的任何恶意代码。 。因为它与主页面在同一个域中,所以它可以访问父DOM。
HTML5 iframe sandbox属性似乎是避免这种情况的方法。您可以阅读,但最好的描述可能是。
这似乎得到了,,,。
规范说如果allow-same-origin属性不设置,内容被视为来自独特的起源。这样可以防止您的子iframe访问父DOM的任何部分,无论浏览器认为该URL是什么。
I've got a page with an iframe. The page and the source of the iframe are in different domains. Inside the iframe I'm using a rich text editor called CuteEditor (which has turned out to be not so cute). There are certain javascript functions in CuteEditor which try to access 'document' but the browser denies access since they're not in the same domain.
Here's the exact error:
Editing the javascript is out of the question because it's been minfied and obfuscated so all the variable names are cryptic.
Using a different editor is currently out of the question because this is a work project and this is the editor I've been told to use.
Is there a way to keep the iframe self-contained? So it does everything inside the iframe and doesn't try to break out to the parent frame?
If the child iframe is loaded from a different domain, then it will not be able to access the parent page or DOM.
However, there is a still a possible vulnerability to man-in-the-middle attack as follows. Suppose your page loads off http://yoursite.com and the iframe goes to http://badsite.org
first http://badsite.org redirects to http://yoursite.com/badpage
This is the step that requires a man-in-the-middle attack. The attacker must either be able to get between the user and yoursite.com, or control the answers to your DNS lookup. This is easier than it sounds -- anyone who has administrative control over a public WiFi access point could do it (think Starbucks, hotels, airports.) The goal is to serve the content of http://yoursite.com/badpage from the attacker's site, not your actual site.
The attacker can then serve whatever malicious code they like from the (fake) http://yoursite.org/badpage. Because this is in the same domain as the main page, it will have access to the parent DOM.
The HTML5 iframe sandbox attribute seems to be the way to avoid this. You can read the spec, but the best description might be here.
This seems to be supported on Chrome, IE10, FireFox, Safari.
The spec says that if the "allow-same-origin" attribute is not set, "the content is treated as being from a unique origin." This should prevent your child iframe from accessing any part of the parent's DOM, no matter what the browser thinks the URL is.
这篇关于如何阻止iframe访问父框架?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!