Html 保护 iFrame - 只允许它在一个域上工作
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/8169582/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Protecting iFrame - Only allow it to work on one domain
提问by Drew
I have a Widget that I created and I am embedding it on other websites using an iFrame. What I want to do is make sure no one can view the source and copy the iFrame code and put it on their own website.
我有一个我创建的小部件,我正在使用 iFrame 将它嵌入到其他网站上。我想要做的是确保没有人可以查看源代码并复制 iFrame 代码并将其放在自己的网站上。
I can store the URL that it should be allowed on in the database. I've seen it done before, one site had a long encrypted code and if it didn't match with the domain then it said Access Denied..
我可以在数据库中存储应该允许它的 URL。我以前见过它,一个站点有一个很长的加密代码,如果它与域不匹配,那么它会说拒绝访问..
Does anyone know how I can do this?
有谁知道我怎么能做到这一点?
Thanks!
谢谢!
回答by noob
No you can't do this. The best thing you can do is the following:
不,你不能这样做。您可以做的最好的事情是:
if (window.top.location.host != "hostname") {
document.body.innerHTML = "Access Denied";
}
Add the above to your JavaScript and then use a JavaSript obfuscator
将上述内容添加到您的 JavaScript 中,然后使用JavaSript 混淆器
回答by weiyin
You cannot prevent people from looking at your HTML, but there are some headers can allow you to specify what sites can embed your iframe. Take a look at the X-Frame-Optionsheader and the frame-ancestorsdirective of Content-Security-Policy. Browsers that respect it will refuse to load the iframe when embedded into someone else's site.
您无法阻止人们查看您的 HTML,但有一些标题可以让您指定哪些网站可以嵌入您的 iframe。看一下 的X-Frame-Options标题和frame-ancestors指令Content-Security-Policy。当嵌入到其他人的站点时,尊重它的浏览器将拒绝加载 iframe。
回答by Dark Falcon
On the server in the code for the page displayed in the IFRAME, check the value of the Refererheader. Unless this header has been blocked for privacy reasons, it contains the URL of the page which hosts the IFRAME.
在 IFRAME 中显示的页面代码的服务器上,检查Referer标题的值。除非出于隐私原因阻止此标头,否则它包含承载 IFRAME 的页面的 URL。
回答by Mech Software
What you are asking for is pretty much impossible. If you make the source available on the web someone can copy it one way or another. Any javascript tricks can be defeated by using low level tools like wget or curl.
你所要求的几乎是不可能的。如果您在网络上提供源代码,则有人可以以一种或另一种方式复制它。任何 javascript 技巧都可以通过使用 wget 或 curl 等低级工具来击败。
So even if you protect it, you're still going to find that someone could in theory copy the code (as the browser would receive it) and could if so determined put it on their own website.
因此,即使您保护它,您仍然会发现理论上有人可以复制代码(就像浏览器会收到它一样),并且如果有决心的话,可以将它放在自己的网站上。
回答by Sergey
I faced the same problem, but I return the user on a home page. I spread the decision.
我遇到了同样的问题,但我在主页上返回了用户。我传播了决定。
It has to be placed where there is iframe
它必须放在有 iframe 的地方
<script>
$(window).load(function () {
var timetoEnd = '';
var dstHost = 'YOUR-ALLOW-HOST';
var backToUrl = 'BACK-TO-URL';
function checkHost(){
var win = window.frames.YOUR-IFRAME-NAME;
win.postMessage('checkHost', dstHost);
console.log('msg Sended');
clearInterval(timetoEnd);
timetoEnd = setInterval(function () {
window.location.href = backToUrl;
}, 5000);
}
function validHost(event) {
if (event.data == 'checkHostTrue') {
clearInterval(timetoEnd);
console.log('checkHostTrue');
} else {
return;
}
}
window.addEventListener("message", validHost, false);
checkHost();
setInterval(function () {
checkHost();
}, 10000
);
});
</script>
It has to be placed into your src iframe
它必须放入您的 src iframe
<script>
function receiveMessage(event)
{
if(event.data=='checkHost'){
event.source.postMessage("checkHostTrue",
event.origin);
} else {
return;
}
}
window.addEventListener("message", receiveMessage, false);
</script>
