As soon as you're displaying content from another domain, you're basically trusting that domain not to serve-up malware.

一旦您显示来自另一个域的内容，您基本上就相信该域不会提供恶意软件。

There's nothing wrong with iframes per se. If you control the content of the iframe, they're perfectly safe.

iframe 本身没有任何问题。如果你控制 iframe 的内容，它们是完全安全的。

The IFRAMEelement may be a security risk if your site is embedded inside an IFRAMEon hostile site. Google "clickHymaning" for more details. Note that it does not matter if youuse <iframe>or not. The only real protection from this attack is to add HTTP header X-Frame-Options: DENYand hope that the browser knows its job.

IFRAME如果您的站点嵌入IFRAME在敌对站点中，则该元素可能存在安全风险。谷歌“点击劫持”了解更多详情。请注意，如果没关系，你使用<iframe>与否。防止这种攻击的唯一真正保护是添加 HTTP 标头X-Frame-Options: DENY并希望浏览器知道它的工作。

In addition, IFRAME element may be a security risk if any page on your site contains an XSS vulnerability which can be exploited. In that case the attacker can expand the XSS attack to any page within the same domain that can be persuaded to load within an <iframe>on the page with XSS vulnerability. This is because content from the same origin (same domain) is allowed to access the parent content DOM (practically execute JavaScript in the "host" document). The only real protection methods from this attack is to add HTTP header X-Frame-Options: DENYand/or always correctly encode all user submitted data (that is, never have an XSS vulnerability on your site - easier said than done).

此外，如果您网站上的任何页面包含可被利用的 XSS 漏洞，则 IFRAME 元素可能存在安全风险。在这种情况下，攻击者可以将 XSS 攻击扩展到同一域内的任何页面，这些页面可以被说服加载到<iframe>具有 XSS 漏洞的页面中。这是因为允许来自同一来源（同一域）的内容访问父内容 DOM（实际上在“主机”文档中执行 JavaScript）。防止这种攻击的唯一真正保护方法是添加 HTTP 标头X-Frame-Options: DENY和/或始终正确编码所有用户提交的数据（即，您的站点上永远不会有 XSS 漏洞 - 说起来容易做起来难）。

That's the technical side of the issue. In addition, there's the issue of user interface.If you teach your users to trust that URL bar is supposed to not change when they click links (e.g. your site uses a big iframe with all the actual content), then the users will not notice anything in the future either in case of actual security vulnerability. For example, you could have an XSS vulnerability within your site that allows the attacker to load content from hostile source within your iframe. Nobody could tell the difference because the URL bar still looks identical to previous behavior (never changes) and the content "looks" valid even though it's from hostile domain requesting user credentials.

这是问题的技术方面。此外，还有用户界面的问题。如果你教你的用户相信 URL 栏在他们点击链接时应该不会改变（例如，你的网站使用包含所有实际内容的大 iframe），那么在实际安全的情况下，用户将来也不会注意到任何事情脆弱性。例如，您的站点中可能存在 XSS 漏洞，允许攻击者从您的 iframe 中的恶意源加载内容。没有人能分辨出其中的区别，因为 URL 栏看起来仍然与以前的行为相同（永远不会改变），并且内容“看起来”有效，即使它来自请求用户凭据的敌对域。

If somebody claims that using an <iframe>element on your site is dangerous and causes a security risk, he does not understand what <iframe>element does, or he is speaking about possibility of <iframe>related vulnerabilities in browsers. Security of <iframe src="...">tag is equal to <img src="..."or <a href="...">as long there are no vulnerabilities in the browser. And if there's a suitable vulnerability, it might be possible to trigger it even without using <iframe>, <img>or <a>element, so it's not worth considering for this issue.

如果有人声称<iframe>在您的站点上使用某个元素是危险的并会导致安全风险，那么他不明白该<iframe>元素的作用，或者他正在谈论<iframe>浏览器中相关漏洞的可能性。<iframe src="...">标签的安全性等于<img src="..."或<a href="...">只要浏览器中没有漏洞。而且如果有合适的漏洞，即使不使用<iframe>,<img>或<a>element也有可能触发它，所以这个问题不值得考虑。

However, be warned that content from <iframe>can initiate top level navigation by default. That is, content within the <iframe>is allowed to automatically open a link over current page location (the new location will be visible in the address bar). The only way to avoid that is to add sandboxattribute without value allow-top-navigation. For example, <iframe sandbox="allow-forms allow-scripts" ...>. Unfortunately, sandbox also disables all plugins, always. For example, Youtube content cannot be sandboxed because Flash player is still required to view all Youtube content. No browser supports using plugins and disallowing top level navigation at the same time.

但是，请注意，内容来自<iframe>默认情况下可以启动顶级导航。也就是说，<iframe>允许自动打开当前页面位置上的链接（新位置将在地址栏中可见）中的内容。避免这种情况的唯一方法是添加sandbox没有 value 的属性allow-top-navigation。例如，<iframe sandbox="allow-forms allow-scripts" ...>。不幸的是，沙箱也总是禁用所有插件。例如，Youtube 内容不能被沙盒化，因为仍然需要 Flash 播放器才能查看所有 Youtube 内容。没有浏览器支持同时使用插件和禁止顶级导航。

Note that X-Frame-Options: DENYalso protects from rendering performance side-channel attack that can read content cross-origin (also known as "Pixel perfect Timing Attacks").

请注意，X-Frame-Options: DENY它还可以防止可以跨源读取内容的渲染性能侧信道攻击（也称为“像素完美时序攻击”）。

I'm assuming cross-domain iFrame since presumably the risk would be lower if you controlled it yourself.

我假设跨域 iFrame，因为如果您自己控制它，风险可能会更低。

• ClickHymaningis a problem if your site is included as an iframe
• A compromised iFrame could display malicious content (imagine the iFrame displaying a login box instead of an ad)
• An included iframe can make certain JS calls like alert and prompt which could annoy your user
• An included iframe can redirect via location.href (yikes, imagine a 3p frame redirecting the customer from bankofamerica.com to bankofamerica.fake.com)
• Malware inside the 3p frame (java/flash/activeX) could infect your user

• 如果您的网站作为 iframe 包含在内，则点击劫持是一个问题
• 受感染的 iFrame 可能会显示恶意内容（想象一下 iFrame 显示登录框而不是广告）
• 包含的 iframe 可以进行某些 JS 调用，例如警报和提示，这可能会惹恼您的用户
• 包含的 iframe 可以通过 location.href 重定向（是的，想象一个 3p 框架将客户从 bankofamerica.com 重定向到 bankofamerica.fake.com）
• 3p 帧内的恶意软件 (java/flash/activeX) 可能会感染您的用户

"Dangerous" and "Security risk" are not the first things that spring to mind when people mention iframes … but they can be used in clickHymaningattacks.

当人们提到 iframe 时，首先想到的并不是“危险”和“安全风险”……但它们可用于点击劫持攻击。

ifram is also vulnerability against Cross Frame Scripting "https://www.owasp.org/index.php/Cross_Frame_Scripting"

ifram 也是针对跨框架脚本的漏洞“ https://www.owasp.org/index.php/Cross_Frame_Scripting”