最近因为项目的需要,要用iframe网页里边嵌入第三方的网站。比如人人网。前端工程师发现这个问题后,我过去看了看,发现是因为人人做了iframe busting。
后来研究了一下,比较好的方式就是当通过http 204来处理这个问题。
通过描述,就知道它的作用是干什么。
The server has fulfilled the request but does not need to return an entity-body, and might want to return updated metainformation. The response MAY include new or updated metainformation in the form of entity-headers, which if present SHOULD be associated with the requested variant.
If the client is a user agent, it SHOULD NOT change its document view from that which caused the request to be sent. This response is primarily intended to allow input for actions to take place without causing a change to the user agent's active document view, although any new or updated metainformation SHOULD be applied to the document currently in the user agent's active view.
所以,在网页的onbeforeunload加入这段代码:
var preventBusting = 0;
window.onbeforeunload = function() { preventBusting++}
setInterval(function() {
if (preventBusting > 0) {
preventBusting -= 2;
window.top.location = 'http://yourwebserver/attacker';
}}, 0.5);如果是apache, 加入下面这段代码来处理204返回,在alias_module后,
RedirectMatch 204 attacker(.*)$nginx的话,差不多类似的方式
location = /attacker {
return 204;
}测试通过。