Iframe Breaking: Faʻafefea ona Taofi le Faʻatagaina Iframeing O Au Mea
Na taʻu mai e se tagata asiasi i laʻu saite ia te aʻu ina ua ia kiliki i luga o se tasi o aʻu sootaga i luga Twitter; na aumai o ia i laʻu saite ma se popup tele ma se lapataiga code leaga. Ua lava lena e fa'afefe ai se tasi, o lea na amata ai ona ou faia ni su'ega. E leai se mea sese i laʻu 'upega tafaʻilagi - o le faʻafitauli o le fesoʻotaʻiga.
O le feso'ota'iga i luga o le isi 'upega tafa'ilagi na maua ai se mea faigaluega i luga e fa'amalosia ai tagata e kiliki i luga o se feso'ota'iga leaga a'o utaina la'u saite i se iframe i lalo. I le tele o tagata, e foliga mai o loʻo faʻasalalauina e laʻu upega tafaʻilagi le tulafono leaga. Ou te le fai atu ou te fiafia i soʻo se saite e utaina ai laʻu saite i totonu o se iframe, o lea na ou faia ai le mea e fai e soʻo se geek talafeagai… Na ou utaina i luga se faʻavaa.
Iframeing lau 'upega tafaʻilagi e le o taimi uma e leaga ai, e ui lava. Na matou faʻasoa talu ai nei se meafaigaluega, Faʻamataʻu, e fa'aopoopo i ai se vala'au e fai (CTA) i so'o se upegatafa'ilagi so'oga e te fa'asoa. E faia lenei mea e ala i le faʻapipiʻiina o lau 'upega tafaʻilagi atoa i totonu o se iframe ma faʻaoga div i luga o au mea i le valaau-i-action.
Ae ou te matua faʻapitoa i laʻu mataupu ma le taumafaiga na ou faia Martech Zone, o lea ou te le manaʻo ai i se tasi e faʻapipiʻi aʻu mea, e oʻo lava i se fesoʻotaʻiga-faʻasoa faʻavae. I le faia o nisi suʻesuʻega, e tele lava auala e taulimaina ai lenei mea.
Fa'afefea ona taofi le fa'ailogaina o au mea i le JavaScript
O lenei code JavaScript e siaki pe o le faamalama o loʻo i ai nei (self
) e le o le faamalama pito i luga (top
). Afai e leai, o lona uiga o le itulau o loʻo i totonu o se faʻavaa, iframe, pe tutusa, ma o le tusitusiga e toe faʻafeiloaʻi le faamalama pito i luga i le URL o le faamalama o iai nei. O lenei mea lelei malepe o le iframe.
<script type='text/javascript'>
if (top !== self) top.location.href = self.location.href;
</script>
E i ai ni nai fa'aletonu i lenei faiga:
- Fa'alagolago ile JavaScript: Afai o le tagata faʻaoga ua le atoatoa le JavaScript, o le a le aoga lenei metotia.
- Tuai: E mafai ona i ai sina fa'atuai a'o le'i fa'atinoina le JavaScript, lea e mafai ai ona iloa atu le fa'avasegaina o lau saite.
- Fa'asa'o-Auga'iga: I nisi tulaga, e mafai e le Same Origin Policy ona taofia lenei tusitusiga mai le galue e pei ona fuafuaina. Afai o le pepa matua o lo'o i se isi itu, atonu e le mafai ona maua
top.location.href
. - Avanoa mo Frame-Busting-Busters: E iai fo'i fa'amaumauga (e ta'ua o le fa'a-busting-busters) e mafai ona taofia ai fa'ailoga fa'apipi'i mai le galue.
O le auala sili atu o le faʻaaogaina o ulutala tali HTTP.
X-Frame-Options ma Content-Security-Policy
uma X-Frame-Options
ma Content-Security-Policy
(CSP) o ulutala tali a HTTP e faʻaaogaina e faʻaleleia ai le saogalemu o se upega tafaʻilagi. Latou te fa'atino ni fa'amoemoega eseese ma e eseese tulaga o le fetu'una'i.
X-Frame-Options
o se ulutala HTTP tuai ua mamanuina faapitoa e pulea pe mafai ona faʻapipiʻi lau 'upega tafaʻilagi i se <frame>
, <iframe>
, <embed>
, po o <object>
i luga o se isi nofoaga. E tolu ni fa'atonuga e mafai ai:
DENY
- E le mafai ona faʻaalia le itulau i se faʻavaa, e tusa lava po o le a le saite o loʻo taumafai e fai.SAMEORIGIN
- O le itulau e mafai ona faʻaalia i totonu o se faʻavaa i luga o le amataga tutusa ma le itulau lava ia.ALLOW-FROM uri
- O le itulau e mafai ona faʻaalia i totonu o se faʻavaa i luga o le amataga faʻamaonia.
Ae peitai, X-Frame-Options
e fa'atapula'aina ona e le mafai ona taulimaina fa'aaliga sili atu ona lavelave, e pei o le fa'ataga o le fa'apipi'iina mai le tele o tupuaga eseese po'o le fa'aogaina o kata vao mo subdomains. E le o tagata su'esu'e uma e lagolagoina le ALLOW-FROM
fa'atonuga.
Content-Security-Policy
, i le isi itu, o se ulutala HTTP sili atu ona fetuutuunai ma mamana. A o mafai ona faia mea uma X-Frame-Options
e mafai ona fai ma sili atu, o lona faamoemoega autu o le puipuia lea o le tele o osofaʻiga o tui, e aofia ai tusitusiga faʻasalalau (XSS) ma kiliki. E galue e ala i le faʻamaotiina o se lisi paʻepaʻe o punaʻoa faʻatuatuaina o anotusi (tusiga, sitaili, ata, ma isi).
Mo le fa'atonutonuina o fa'avaa, e fa'aogaina e le CSP le frame-ancestors
fa'atonuga. E mafai ona e fa'amaoti mai le tele o fa'apogai, e aofia ai le tele o fa'alapotopotoga ma fa'aigoa vao. O se fa'ata'ita'iga lenei:
cssCopy codeContent-Security-Policy: frame-ancestors 'self' yourdomain.com *.domain2.com;
Ole mea lea ole a mafai ai ona fa'avalaina le itulau i luga ole laiga ('self'
), luga yourdomain.com
, ma luga o so'o se subdomain o domain2.com
.
O lo'o fautuaina le CSP e suitulaga mo X-Frame-Options
, talu ai e mafai ona taulimaina mea uma X-Frame-Options
e mafai, ma sili atu. E ui o le tele o su'esu'ega fa'aonaponei e lagolagoina le CSP, atonu o lo'o i ai pea nisi o su'esu'ega tuai pe le masani ai e le'o lagolagoina atoatoa.
Faʻafefea ona Taofi le faʻailogaina o au mea i le HTML
O loʻo i ai nei se faʻamaufaʻailoga-Security-Policy meta tag e mafai ona faʻapipiʻiina e faʻagata ai le mafai ona faʻaogaina au mea:
<meta http-equiv="Content-Security-Policy" content="frame-ancestors 'self' yourdomain.com">
Ole aoga ole HTML meta tag e fa'atapula'a ona e le fa'aaloalo uma tagata su'esu'e ile Content-Security-Policy
pe a seti e faʻaaoga se meta tag.
Faʻafefea ona taofi le faʻailogaina o au mea i le HTTP Headers
E sili atu le fa'aogaina o ulutala HTTP X-Frame-Options
or Content-Security-Policy
e pulea le fa'atulagaina. O nei filifiliga e sili atu ona faʻatuatuaina, ma malupuipuia, ma aoga e tusa lava pe le atoatoa le JavaScript. Ole auala JavaScript e tatau ona faʻaaogaina e fai ma faʻataʻitaʻiga mulimuli pe afai e leai sau pule ile server e setiina ulutala HTTP. Mo faataitaiga taitasi, sui yourdomain.com
ma lau vaega moni.
Apache – Suia lau .htaccess
faila e faapea:
Header always set X-Frame-Options SAMEORIGIN
Header always set Content-Security-Policy "frame-ancestors 'self' yourdomain.com"
Nginx – Suia lau poloka poloka e pei ona taua i lalo:
add_header X-Frame-Options SAMEORIGIN;
add_header Content-Security-Policy "frame-ancestors 'self' yourdomain.com";
IIS - fai lenei mea e ala i le faʻaopoopoina o mea nei i lau web.config
faila:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="frame-ancestors 'self' yourdomain.com" />
</customHeaders>
</httpProtocol>
</system.webServer>
WordPress – fai lenei mea e ala i le fa'aopoopoina o le code lea i lau faila functions.php:
function add_security_headers() {
header('X-Frame-Options: SAMEORIGIN');
header("Content-Security-Policy: frame-ancestors 'self' yourdomain.com");
}
add_action('send_headers', 'add_security_headers');
O nei fa'atonuga o le a na'o le fa'ataga o lau itulau e fa'apipi'i i totonu o iframes i luga o le vaega tonu e te fa'ailoa mai, ae le o so'o se vaega subdomains. Afai e te manaʻo e faʻatagaina nisi subdomains, e tatau ona e lisiina manino, pei subdomain1.yourdomain.com
subdomain2.yourdomain.com
, ma faapena atu ai lava.
Fa'ataga le fa'avasegaina o au mea mai le tele o vaega
E mafai ona e fa'amaoti le tele o vaega i le Content-Security-Policy HTTP response header ma le fa'atonuga o tuaa. O se avanoa e tatau ona tu'u eseese vaega ta'itasi. O se fa'ata'ita'iga lenei:
Content-Security-Policy: frame-ancestors 'self' domain1.com domain2.com domain3.com;
Apache – Suia lau .htaccess
faila e faapea:
Header always set X-Frame-Options SAMEORIGIN
Header always set Content-Security-Policy "frame-ancestors 'self' domain1.com domain2.com domain3.com"
Nginx – Suia lau poloka poloka e pei ona taua i lalo:
add_header X-Frame-Options SAMEORIGIN;
add_header Content-Security-Policy "frame-ancestors 'self' domain1.com domain2.com domain3.com";
IIS - fai lenei mea e ala i le faʻaopoopoina o mea nei i lau web.config
faila:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
<add name="Content-Security-Policy" value="frame-ancestors 'self' domain1.com domain2.com domain3.com" />
</customHeaders>
</httpProtocol>
</system.webServer>
Fa'ataga le Fa'ailogaina o Au Mea mai le Wildcard Domain
E mafai fo'i ona e fa'amaoti se wildcard mo subdomains uma ma le Content-Security-Policy
Ulutala tali HTTP ma le faʻatonuga a tuaa. O faataitaiga nei o le Content-Security-Policy
code e manaʻomia ona faʻafouina:
Content-Security-Policy: frame-ancestors 'self' *.yourdomain.com;
Apache – Suia lau .htaccess
faila e faapea:
Header always set Content-Security-Policy "frame-ancestors 'self' *.yourdomain.com"
Nginx – Suia lau poloka poloka e pei ona taua i lalo:
add_header Content-Security-Policy "frame-ancestors 'self' *.domain1.com *.domain2.com *.domain3.com";
IIS - fai lenei mea e ala i le faʻaopoopoina o mea nei i lau web.config
faila:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="frame-ancestors 'self' *.yourdomain.com" />
</customHeaders>
</httpProtocol>
</system.webServer>