如何拒绝来自 iframe 的站点访问？

Question

我注意到一些网站出于安全原因拒绝 iFrame 访问其注册和登录页面。在我看来这是个好主意。

我想知道他们需要什么设置才能做到这一点，因为我想在我的网站上做同样的事情。有问题的网站是用 Java 构建的，并在 Apache Tomcat 上运行。

如果有人知道这是怎么做到的，如果你能分享一下就太好了。

Answer 1

您可以使用 JavaScript 检测 iframe：

location.href != top.location.href -> iframe.

您也可以使用“X-Frame-Options”HTTP 标头。

Answer 2

好吧，你应该使用 x-frame-options。

阅读这篇文章，希望对您有所帮助：

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

我不熟悉 jsp 和 servlet，但我认为您可以这样做：

public class NoIFrameAllowedServlet extends HttpServlet {

  public void doGet(HttpServletRequest request,
                    HttpServletResponse response)
      throws ServletException, IOException {
      response.setHeader("X-Frame-Options", "SAMEORIGIN");
    }

Answer 3

这是我用过的，它奏效了。我从这里得到了一切：OWASP Clickjacking protection in java

在 web.xml 中，添加其中一项，具体取决于您要执行的策略：

<display-name>OWASP ClickjackFilter</display-name>
    <filter>
        <filter-name>ClickjackFilterDeny</filter-name>
        <filter-class>org.owasp.filters.ClickjackFilter</filter-class>
        <init-param>
            <param-name>mode</param-name>
            <param-value>DENY</param-value>
        </init-param>
    </filter>

    <filter>
        <filter-name>ClickjackFilterSameOrigin</filter-name>
        <filter-class>org.owasp.filters.ClickjackFilter</filter-class>
        <init-param>
            <param-name>mode</param-name>
            <param-value>SAMEORIGIN</param-value>
        </init-param>
    </filter>

     <!--  use the Deny version to prevent anyone, including yourself, from framing the page -->
    <filter-mapping> 
        <filter-name>ClickjackFilterDeny</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <!-- use the SameOrigin version to allow your application to frame, but nobody else
    <filter-mapping> 
        <filter-name>ClickjackFilterSameOrigin</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    -->

    ...

然后在java代码中：

public class ClickjackFilter implements Filter 
{

    private String mode = "DENY";

    /**
     * Add X-FRAME-OPTIONS response header to tell IE8 (and any other browsers who
     * decide to implement) not to display this content in a frame. For details, please
     * refer to http://blogs.msdn.com/sdl/archive/2009/02/05/clickjacking-defense-in-ie8.aspx.
     */
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse res = (HttpServletResponse)response;
        //If you have Tomcat 5 or 6, there is a known bug using this code.  You must have the doFilter first:
        chain.doFilter(request, response);
        res.addHeader("X-FRAME-OPTIONS", mode );            
        //Otherwise use this:
        //res.addHeader("X-FRAME-OPTIONS", mode );          
        //chain.doFilter(request, response);

    }

    public void destroy() {
    }

    public void init(FilterConfig filterConfig) {
        String configMode = filterConfig.getInitParameter("mode");
        if ( configMode != null ) {
            mode = configMode;
        }
    }