Maketi aano

Iframe Breaking: Faʻafefea ona Taofi le Faʻatagaina Iframeing O Au Mea

Na taʻu mai e se tagata asiasi i laʻu saite ia te aʻu ina ua ia kiliki i luga o se tasi o aʻu sootaga i luga Twitter; na aumai o ia i laʻu saite ma se popup tele ma se lapataiga code leaga. Ua lava lena e fa'afefe ai se tasi, o lea na amata ai ona ou faia ni su'ega. E leai se mea sese i laʻu 'upega tafaʻilagi - o le faʻafitauli o le fesoʻotaʻiga.

O le feso'ota'iga i luga o le isi 'upega tafa'ilagi na maua ai se mea faigaluega i luga e fa'amalosia ai tagata e kiliki i luga o se feso'ota'iga leaga a'o utaina la'u saite i se iframe i lalo. I le tele o tagata, e foliga mai o loʻo faʻasalalauina e laʻu upega tafaʻilagi le tulafono leaga. Ou te le fai atu ou te fiafia i soʻo se saite e utaina ai laʻu saite i totonu o se iframe, o lea na ou faia ai le mea e fai e soʻo se geek talafeagai… Na ou utaina i luga se faʻavaa.

Iframeing lau 'upega tafaʻilagi e le o taimi uma e leaga ai, e ui lava. Na matou faʻasoa talu ai nei se meafaigaluega, Faʻamataʻu, e fa'aopoopo i ai se vala'au e fai (CTA) i so'o se upegatafa'ilagi so'oga e te fa'asoa. E faia lenei mea e ala i le faʻapipiʻiina o lau 'upega tafaʻilagi atoa i totonu o se iframe ma faʻaoga div i luga o au mea i le valaau-i-action.

Ae ou te matua faʻapitoa i laʻu mataupu ma le taumafaiga na ou faia Martech Zone, o lea ou te le manaʻo ai i se tasi e faʻapipiʻi aʻu mea, e oʻo lava i se fesoʻotaʻiga-faʻasoa faʻavae. I le faia o nisi suʻesuʻega, e tele lava auala e taulimaina ai lenei mea.

Fa'afefea ona taofi le fa'ailogaina o au mea i le JavaScript

O lenei code JavaScript e siaki pe o le faamalama o loʻo i ai nei (self) e le o le faamalama pito i luga (top). Afai e leai, o lona uiga o le itulau o loʻo i totonu o se faʻavaa, iframe, pe tutusa, ma o le tusitusiga e toe faʻafeiloaʻi le faamalama pito i luga i le URL o le faamalama o iai nei. O lenei mea lelei malepe o le iframe.

<script type='text/javascript'>
if (top !== self) top.location.href = self.location.href;
</script>

E i ai ni nai fa'aletonu i lenei faiga:

  1. Fa'alagolago ile JavaScript: Afai o le tagata faʻaoga ua le atoatoa le JavaScript, o le a le aoga lenei metotia.
  2. Tuai: E mafai ona i ai sina fa'atuai a'o le'i fa'atinoina le JavaScript, lea e mafai ai ona iloa atu le fa'avasegaina o lau saite.
  3. Fa'asa'o-Auga'iga: I nisi tulaga, e mafai e le Same Origin Policy ona taofia lenei tusitusiga mai le galue e pei ona fuafuaina. Afai o le pepa matua o lo'o i se isi itu, atonu e le mafai ona maua top.location.href.
  4. Avanoa mo Frame-Busting-Busters: E iai fo'i fa'amaumauga (e ta'ua o le fa'a-busting-busters) e mafai ona taofia ai fa'ailoga fa'apipi'i mai le galue.

O le auala sili atu o le faʻaaogaina o ulutala tali HTTP.

X-Frame-Options ma Content-Security-Policy

uma X-Frame-Options ma Content-Security-Policy (CSP) o ulutala tali a HTTP e faʻaaogaina e faʻaleleia ai le saogalemu o se upega tafaʻilagi. Latou te fa'atino ni fa'amoemoega eseese ma e eseese tulaga o le fetu'una'i.

X-Frame-Options o se ulutala HTTP tuai ua mamanuina faapitoa e pulea pe mafai ona faʻapipiʻi lau 'upega tafaʻilagi i se <frame>, <iframe>, <embed>, po o <object> i luga o se isi nofoaga. E tolu ni fa'atonuga e mafai ai:

  1. DENY - E le mafai ona faʻaalia le itulau i se faʻavaa, e tusa lava po o le a le saite o loʻo taumafai e fai.
  2. SAMEORIGIN - O le itulau e mafai ona faʻaalia i totonu o se faʻavaa i luga o le amataga tutusa ma le itulau lava ia.
  3. ALLOW-FROM uri - O le itulau e mafai ona faʻaalia i totonu o se faʻavaa i luga o le amataga faʻamaonia.

Ae peitai, X-Frame-Options e fa'atapula'aina ona e le mafai ona taulimaina fa'aaliga sili atu ona lavelave, e pei o le fa'ataga o le fa'apipi'iina mai le tele o tupuaga eseese po'o le fa'aogaina o kata vao mo subdomains. E le o tagata su'esu'e uma e lagolagoina le ALLOW-FROM fa'atonuga.

Content-Security-Policy, i le isi itu, o se ulutala HTTP sili atu ona fetuutuunai ma mamana. A o mafai ona faia mea uma X-Frame-Options e mafai ona fai ma sili atu, o lona faamoemoega autu o le puipuia lea o le tele o osofaʻiga o tui, e aofia ai tusitusiga faʻasalalau (XSS) ma kiliki. E galue e ala i le faʻamaotiina o se lisi paʻepaʻe o punaʻoa faʻatuatuaina o anotusi (tusiga, sitaili, ata, ma isi).

Mo le fa'atonutonuina o fa'avaa, e fa'aogaina e le CSP le frame-ancestors fa'atonuga. E mafai ona e fa'amaoti mai le tele o fa'apogai, e aofia ai le tele o fa'alapotopotoga ma fa'aigoa vao. O se fa'ata'ita'iga lenei:

cssCopy codeContent-Security-Policy: frame-ancestors 'self' yourdomain.com *.domain2.com;

Ole mea lea ole a mafai ai ona fa'avalaina le itulau i luga ole laiga ('self'), luga yourdomain.com, ma luga o so'o se subdomain o domain2.com.

O lo'o fautuaina le CSP e suitulaga mo X-Frame-Options, talu ai e mafai ona taulimaina mea uma X-Frame-Options e mafai, ma sili atu. E ui o le tele o su'esu'ega fa'aonaponei e lagolagoina le CSP, atonu o lo'o i ai pea nisi o su'esu'ega tuai pe le masani ai e le'o lagolagoina atoatoa.

Faʻafefea ona Taofi le faʻailogaina o au mea i le HTML

O loʻo i ai nei se faʻamaufaʻailoga-Security-Policy meta tag e mafai ona faʻapipiʻiina e faʻagata ai le mafai ona faʻaogaina au mea:

<meta http-equiv="Content-Security-Policy" content="frame-ancestors 'self' yourdomain.com">

Ole aoga ole HTML meta tag e fa'atapula'a ona e le fa'aaloalo uma tagata su'esu'e ile Content-Security-Policy pe a seti e faʻaaoga se meta tag.

Faʻafefea ona taofi le faʻailogaina o au mea i le HTTP Headers

E sili atu le fa'aogaina o ulutala HTTP X-Frame-Options or Content-Security-Policy e pulea le fa'atulagaina. O nei filifiliga e sili atu ona faʻatuatuaina, ma malupuipuia, ma aoga e tusa lava pe le atoatoa le JavaScript. Ole auala JavaScript e tatau ona faʻaaogaina e fai ma faʻataʻitaʻiga mulimuli pe afai e leai sau pule ile server e setiina ulutala HTTP. Mo faataitaiga taitasi, sui yourdomain.com ma lau vaega moni.

Apache – Suia lau .htaccess faila e faapea:

Header always set X-Frame-Options SAMEORIGIN
Header always set Content-Security-Policy "frame-ancestors 'self' yourdomain.com"

Nginx – Suia lau poloka poloka e pei ona taua i lalo:

add_header X-Frame-Options SAMEORIGIN;
add_header Content-Security-Policy "frame-ancestors 'self' yourdomain.com";

IIS - fai lenei mea e ala i le faʻaopoopoina o mea nei i lau web.config faila:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="Content-Security-Policy" value="frame-ancestors 'self' yourdomain.com" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

WordPress – fai lenei mea e ala i le fa'aopoopoina o le code lea i lau faila functions.php:

function add_security_headers() {
  header('X-Frame-Options: SAMEORIGIN');
  header("Content-Security-Policy: frame-ancestors 'self' yourdomain.com");
}
add_action('send_headers', 'add_security_headers');

O nei fa'atonuga o le a na'o le fa'ataga o lau itulau e fa'apipi'i i totonu o iframes i luga o le vaega tonu e te fa'ailoa mai, ae le o so'o se vaega subdomains. Afai e te manaʻo e faʻatagaina nisi subdomains, e tatau ona e lisiina manino, pei subdomain1.yourdomain.com subdomain2.yourdomain.com, ma faapena atu ai lava.

Fa'ataga le fa'avasegaina o au mea mai le tele o vaega

E mafai ona e fa'amaoti le tele o vaega i le Content-Security-Policy HTTP response header ma le fa'atonuga o tuaa. O se avanoa e tatau ona tu'u eseese vaega ta'itasi. O se fa'ata'ita'iga lenei:

Content-Security-Policy: frame-ancestors 'self' domain1.com domain2.com domain3.com;

Apache – Suia lau .htaccess faila e faapea:

Header always set X-Frame-Options SAMEORIGINHeader always set Content-Security-Policy "frame-ancestors 'self' domain1.com domain2.com domain3.com"

Nginx – Suia lau poloka poloka e pei ona taua i lalo:

add_header X-Frame-Options SAMEORIGIN;add_header Content-Security-Policy "frame-ancestors 'self' domain1.com domain2.com domain3.com";

IIS - fai lenei mea e ala i le faʻaopoopoina o mea nei i lau web.config faila:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="SAMEORIGIN" />
      <add name="Content-Security-Policy" value="frame-ancestors 'self' domain1.com domain2.com domain3.com" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

Fa'ataga le Fa'ailogaina o Au Mea mai le Wildcard Domain

E mafai fo'i ona e fa'amaoti se wildcard mo subdomains uma ma le Content-Security-Policy Ulutala tali HTTP ma le faʻatonuga a tuaa. O faataitaiga nei o le Content-Security-Policy code e manaʻomia ona faʻafouina:

Content-Security-Policy: frame-ancestors 'self' *.yourdomain.com;

Apache – Suia lau .htaccess faila e faapea:

Header always set Content-Security-Policy "frame-ancestors 'self' *.yourdomain.com"

Nginx – Suia lau poloka poloka e pei ona taua i lalo:

add_header Content-Security-Policy "frame-ancestors 'self' *.domain1.com *.domain2.com *.domain3.com";

IIS - fai lenei mea e ala i le faʻaopoopoina o mea nei i lau web.config faila:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="Content-Security-Policy" value="frame-ancestors 'self' *.yourdomain.com" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

Douglas Karr

Douglas Karr o CMO o OpenINSIGHTS ma le na faavaeina le Martech Zone. Ua fesoasoani Douglas i le tele o amataga manuia o MarTech, ua fesoasoani i le filiga tatau o le sili atu i le $ 5 piliona i le mauaina o le Martech ma tupe teufaafaigaluega, ma o loʻo faʻaauau pea ona fesoasoani i kamupani i le faʻatinoina ma le otometi a latou faʻatauga ma maketi. Douglas ose suiga fa'atekinolosi fa'avaomalo fa'avaomalo ma MarTech fa'apitoa ma failauga. O Douglas foi o se tusitala lolomi o le Dummie's guide ma se tusi taʻitaʻi pisinisi.

Faatatau Mataupu Faavae o

Toe i le pito i luga
lata

Ua maua le Adblock

Martech Zone e mafai ona tu'uina atu ia te oe lenei 'anotusi e aunoa ma se tau aua matou te fa'atupeina la matou 'upega tafa'ilagi e ala i tupe maua fa'asalalauga, so'oga fa'atasi, ma lagolago. Matou te fa'afetai pe a e aveese lau fa'asalalauga fa'asalalau a'o e va'ai i la matou saite.