iframes within a trusted website list

2020-04-01 00:36发布

问题:

I'm new to iframes and their security flaws. I have website A that needs to be embedded on an iframe on a list of websites. Here is the interesting part.

  • The list of trusted websites and the iframe share the same domain.
  • Only the list of trusted websites can iframe A
  • If an untrusted website tries to iframe A, some error should be rendered.

I know some places do this with some sort of tokenization system. Does anyone know or have some good references to do this?

回答1:

well, you can't prevent people from framing your website because you don't control their code.

however, you could:

  • use a framebuster to bust your site to top level (exit from iframe and into main window).

  • check the parent window's url (the url of the site framing your site). it works only if same domain, meaning if another domain is iframing you, you can't get the parent url ("aha! someone's framing your site!"). if you CAN get the url, the top site is from your domain. the only thing you need to do after that is to check if that site is part of your trusted sites in your domain.