1. 首页
  2. 问答
  3. 如何拒绝从iframe访问网站?

如何拒绝从iframe访问网站?

2011-12-06 91 views
3

我注意到有几个网站出于安全原因拒绝iFrames访问他们的注册和登录页面。我认为这是一个好主意。如何拒绝从iframe访问网站?

我想知道他们需要什么设置才能做到这一点,因为我想在我的网站上做同样的事情。相关网站使用Java构建,并在Apache Tomcat上运行。

如果有人知道如何做到这一点,如果你能分享,这将是非常好的。

来源

2011-12-06 diggersworld

回答

3

好吧,您应该使用x-frame-options

阅读这篇文章,希望它有助于:

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

我不熟悉JSP和servlet,但我认为你可以做这样的事情:

public class NoIFrameAllowedServlet extends HttpServlet { 

    public void doGet(HttpServletRequest request, 
        HttpServletResponse response) 
     throws ServletException, IOException { 
     response.setHeader("X-Frame-Options", "SAMEORIGIN"); 
    }

来源

2011-12-06 08:55:22

+0

现在看着它的干杯。 :) – diggersworld

+0

前几天,我试图将gmail页面嵌入到iframe中,以获取用户的电子邮件地址(clickjacking hack!),然后x-frame-options,让我难过! ;) –

0

您可以检测的iframe使用JavaScript:

location.href != top.location.href -> iframe.

您也可以使用 “X-框架 - 选项” HTTP标头。

来源

2011-12-06 08:54:56 Artem

+0

如果JavaScript被禁用,则不是。 – diggersworld

4

这是我用过的和它的工作。我得到了一切从这里开始:OWASP Clickjacking protection in java

在web.xml中添加这些之一,这取决于您要执行的策略:

<display-name>OWASP ClickjackFilter</display-name> 
    <filter> 
     <filter-name>ClickjackFilterDeny</filter-name> 
     <filter-class>org.owasp.filters.ClickjackFilter</filter-class> 
     <init-param> 
      <param-name>mode</param-name> 
      <param-value>DENY</param-value> 
     </init-param> 
    </filter> 

    <filter> 
     <filter-name>ClickjackFilterSameOrigin</filter-name> 
     <filter-class>org.owasp.filters.ClickjackFilter</filter-class> 
     <init-param> 
      <param-name>mode</param-name> 
      <param-value>SAMEORIGIN</param-value> 
     </init-param> 
    </filter> 

    <!-- use the Deny version to prevent anyone, including yourself, from framing the page --> 
    <filter-mapping> 
     <filter-name>ClickjackFilterDeny</filter-name> 
     <url-pattern>/*</url-pattern> 
    </filter-mapping> 

    <!-- use the SameOrigin version to allow your application to frame, but nobody else 
    <filter-mapping> 
     <filter-name>ClickjackFilterSameOrigin</filter-name> 
     <url-pattern>/*</url-pattern> 
    </filter-mapping> 
    --> 

    ...
在Java代码中

然后:

public class ClickjackFilter implements Filter 
{ 

    private String mode = "DENY"; 

    /** 
    * Add X-FRAME-OPTIONS response header to tell IE8 (and any other browsers who 
    * decide to implement) not to display this content in a frame. For details, please 
    * refer to http://blogs.msdn.com/sdl/archive/2009/02/05/clickjacking-defense-in-ie8.aspx. 
    */ 
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { 
     HttpServletResponse res = (HttpServletResponse)response; 
     //If you have Tomcat 5 or 6, there is a known bug using this code. You must have the doFilter first: 
     chain.doFilter(request, response); 
     res.addHeader("X-FRAME-OPTIONS", mode);    
     //Otherwise use this: 
     //res.addHeader("X-FRAME-OPTIONS", mode);   
     //chain.doFilter(request, response); 

    } 

    public void destroy() { 
    } 

    public void init(FilterConfig filterConfig) { 
     String configMode = filterConfig.getInitParameter("mode"); 
     if (configMode != null) { 
      mode = configMode; 
     } 
    }

来源

2015-02-24 20:11:29

+0

谢谢!只需补充一点,就是需要将java代码编译成.jar文件并放置在Tomcat/lib目录中 – gordon613

相关问题

 相关问题