Prevent malicious nesting of pages by iframe and malicious nesting of iframe

Prevent malicious nesting of pages by iframe and malicious nesting of iframe

New blog address: http://hengyunabc.github.io/prevent-iframe-stealing/

Origin

The following code prevents nested iframe:

try {    if (window.top != window.self) {        var ref = document.referer;        if (ref.substring(0, 2) === '//') {            ref = 'http:' + ref;        } else if (ref.split('://').length === 1) {            ref = 'http://' + ref;        }        var url = ref.split('/');        var _l = {auth: ''};        var host = url[2].split('@');        if (host.length === 1) {            host = host[0].split(':');        } else {            _l.auth = host[0];            host = host[1].split(':');        }        var parentHostName = host[0];        if (parentHostName.indexOf("test.com") == -1 && parentHostName.indexOf("test2.com") == -1) {            top.location.href = "http://www.test.com";        }    }} catch (e) {}

Assume that test.com and test2.com are their own domain names. When other websites maliciously nest the pages of this site, they will jump back to the home page of this site.

The above code has two problems:

• The referer spelling is incorrect. It should actually be a referrer.
• The code for parsing referrer is too complex and not necessarily correct.

We do not recommend that you manually write code to process URLs in any language. Because the url complexity exceeds the imagination of ordinary people. Many security problems are caused by improper URL resolution. For example, to prevent CSRF from judging referrer.

URI Syntax:

Http://en.wikipedia.org/wiki/URI_scheme#Generic_syntax

The best way to parse URLs in javascript

The best way to parse URLs in javascript is to use the browser's js engine to create a tag:

var getLocation = function(href) {    var l = document.createElement("a");    l.href = href;    return l;};var l = getLocation("http://example.com/path");console.debug(l.hostname)

Simple anti-iframe malicious Nesting Method

The following provides a concise method to prevent malicious nesting of iframe:

if(window.top != window && document.referrer){  var a = document.createElement("a");  a.href = document.referrer;  var host = a.hostname;  var endsWith = function (str, suffix) {      return str.indexOf(suffix, str.length - suffix.length) !== -1;  }  if(!endsWith(host, '.test.com') || !endsWith(host, '.test2.com')){    top.location.href = "http://www.test.com";  }}

How to process URLs in java

Http://docs.oracle.com/javase/tutorial/networking/urls/urlInfo.html

Be careful when using functions such as contain, indexOf, and endWitch.

 public static void main(String[] args) throws Exception {        URL aURL = new URL("http://example.com:80/docs/books/tutorial"                           + "/index.html?name=networking#DOWNLOADING");        System.out.println("protocol = " + aURL.getProtocol());        System.out.println("authority = " + aURL.getAuthority());        System.out.println("host = " + aURL.getHost());        System.out.println("port = " + aURL.getPort());        System.out.println("path = " + aURL.getPath());        System.out.println("query = " + aURL.getQuery());        System.out.println("filename = " + aURL.getFile());        System.out.println("ref = " + aURL.getRef());    }

Reference

Http://stackoverflow.com/questions/736513/how-do-i-parse-a-url-into-hostname-and-path-in-javascript

Http://stackoverflow.com/questions/5522097/prevent-iframe-stealing