如何拒絕從iframe訪問網站？

Question

我注意到有幾個網站出於安全原因拒絕iFrames訪問他們的註冊和登錄頁面。我認爲這是一個好主意。

我想知道他們需要什麼設置才能做到這一點，因爲我想在我的網站上做同樣的事情。相關網站使用Java構建，並在Apache Tomcat上運行。

如果有人知道如何做到這一點，如果你能分享，這將是非常好的。

Answer 1

好吧，您應該使用x-frame-options。

閱讀這篇文章，希望它有助於：

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

我不熟悉JSP和servlet，但我認爲你可以做這樣的事情：

public class NoIFrameAllowedServlet extends HttpServlet { 

    public void doGet(HttpServletRequest request, 
        HttpServletResponse response) 
     throws ServletException, IOException { 
     response.setHeader("X-Frame-Options", "SAMEORIGIN"); 
    } 

Answer 2

您可以檢測的iframe使用JavaScript：

location.href != top.location.href -> iframe. 

您也可以使用 「X-框架 - 選項」 HTTP標頭。

Answer 3

這是我用過的和它的工作。我得到了一切從這裏開始：OWASP Clickjacking protection in java

在web.xml中添加這些之一，這取決於您要執行的策略：

<display-name>OWASP ClickjackFilter</display-name> 
    <filter> 
     <filter-name>ClickjackFilterDeny</filter-name> 
     <filter-class>org.owasp.filters.ClickjackFilter</filter-class> 
     <init-param> 
      <param-name>mode</param-name> 
      <param-value>DENY</param-value> 
     </init-param> 
    </filter> 

    <filter> 
     <filter-name>ClickjackFilterSameOrigin</filter-name> 
     <filter-class>org.owasp.filters.ClickjackFilter</filter-class> 
     <init-param> 
      <param-name>mode</param-name> 
      <param-value>SAMEORIGIN</param-value> 
     </init-param> 
    </filter> 

    <!-- use the Deny version to prevent anyone, including yourself, from framing the page --> 
    <filter-mapping> 
     <filter-name>ClickjackFilterDeny</filter-name> 
     <url-pattern>/*</url-pattern> 
    </filter-mapping> 

    <!-- use the SameOrigin version to allow your application to frame, but nobody else 
    <filter-mapping> 
     <filter-name>ClickjackFilterSameOrigin</filter-name> 
     <url-pattern>/*</url-pattern> 
    </filter-mapping> 
    --> 

    ... 

在Java代碼中

然後：

public class ClickjackFilter implements Filter 
{ 

    private String mode = "DENY"; 

    /** 
    * Add X-FRAME-OPTIONS response header to tell IE8 (and any other browsers who 
    * decide to implement) not to display this content in a frame. For details, please 
    * refer to http://blogs.msdn.com/sdl/archive/2009/02/05/clickjacking-defense-in-ie8.aspx. 
    */ 
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { 
     HttpServletResponse res = (HttpServletResponse)response; 
     //If you have Tomcat 5 or 6, there is a known bug using this code. You must have the doFilter first: 
     chain.doFilter(request, response); 
     res.addHeader("X-FRAME-OPTIONS", mode);    
     //Otherwise use this: 
     //res.addHeader("X-FRAME-OPTIONS", mode);   
     //chain.doFilter(request, response); 

    } 

    public void destroy() { 
    } 

    public void init(FilterConfig filterConfig) { 
     String configMode = filterConfig.getInitParameter("mode"); 
     if (configMode != null) { 
      mode = configMode; 
     } 
    }