绕过iframe busting

最新推荐文章于 2026-03-04 21:17:58 发布

原创最新推荐文章于 2026-03-04 21:17:58 发布 · 1.2k 阅读

0 ·

本内容遵循CC 4.0 BY-SA版权协议

标签

#iframe #function #user #include #module

前端同时被 3 个专栏收录

7 篇文章

订阅专栏

ajax

4 篇文章

订阅专栏

nginx

1 篇文章

订阅专栏

本文详细介绍了如何通过HTTP 204响应解决iframebusting问题，确保网页安全地嵌入第三方网站，如人人网。通过在onbeforeunload事件中加入特定代码和配置服务器响应，实现对iframe的正确处理。

最近因为项目的需要，要用iframe网页里边嵌入第三方的网站。比如人人网。前端工程师发现这个问题后，我过去看了看，发现是因为人人做了iframe busting。

后来研究了一下，比较好的方式就是当通过http 204来处理这个问题。

通过描述，就知道它的作用是干什么。

The server has fulfilled the request but does not need to return an entity-body, and might want to return updated metainformation. The response MAY include new or updated metainformation in the form of entity-headers, which if present SHOULD be associated with the requested variant.

If the client is a user agent, it SHOULD NOT change its document view from that which caused the request to be sent. This response is primarily intended to allow input for actions to take place without causing a change to the user agent's active document view, although any new or updated metainformation SHOULD be applied to the document currently in the user agent's active view.

所以，在网页的onbeforeunload加入这段代码:

var preventBusting = 0;
    window.onbeforeunload = function() { preventBusting++}
    setInterval(function() {
        if (preventBusting > 0) {
            preventBusting -= 2;
            window.top.location = 'http://yourwebserver/attacker';
        }}, 0.5);

如果是apache, 加入下面这段代码来处理204返回，在alias_module后，

 RedirectMatch 204 attacker(.*)$

nginx的话，差不多类似的方式

location = /attacker {
            return 204;
         }

测试通过。