How does it appear that MDN can detect a request f

2019-03-05 02:14发布

问题:

Please Note: This question is not related directly to Server-side detection that a page is shown inside an IFrame, as I'm showing you an instance where it would appear that the guys at MDN (Mozilla Developer Network) are already detecting that content is being delivered to an iframe, although, if you read through this, I discuss the possibility that this isn't server-side related at all; it might be some sort of "rights" issue declared some how or in some way I don't know about. The point is to understand how something already existing works.

First of all, I do not desire to rip off MDN (Mozilla Developer Network) content as my own. I'm asking this because I'm truly puzzled by it. The guys at MDN seem to have pulled of a nice trick, and I'd like to know it, but maybe its simpler than I realized.

The code is only:

<iframe src="https://developer.mozilla.org/en-US/docs/HTML/HTML5"></iframe>

Take, for example, this fiddle:

http://jsfiddle.net/jfcox/D3UNZ/

Do you notice how there's no content in the iframe? There doesn't appear to be any content related to the request on the Chrome network tab.

I assure you, that'd work on a "normal" website, like example.org. see http://jsfiddle.net/jfcox/nPwcu/

So, I ask, what is it that they are doing to detect that a request is being made from an iframe? Is there some Browser-Fu I don't know about? Oddly enough, that might be the case. From IE9.

To help protect the security of information you enter into this website, the publisher of this content does not allow it to be displayed in a frame.

Wow! Ok, so maybe it's not server-side, maybe it's all Browser-Fu. Even so, how does IE9 and these other browsers know what I don't know? What do I need to look up to learn about this?

I have my own suspicions, namely that there's some file at the root of the website like crossdomain.xml for flash that defines permissions about content usage or whatever, but I still wouldn't even know where to start if that's the case.

回答1:

Turns out, it's a pretty simple copy protection. All you need to do is set a response header.

  • https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
  • http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-00

Yes, "frame", instead of "iframe".

:eyeroll:

I suppose the name makes sense, considering the possibility somebody could still attempt to use old HTML 4 frame tags for whatever purpose, and I would expect most browser/DOM engines have baked-in support of frame tags given HTML history. Netscape created/supported frames as early as version 2.0 and iframe was a later, purely-Microsoft invention that found wide adoption, IIRC.