Prevent FRAME from loading your site page
1. Meta Tags: many times without effect, ignoring
Meta http-equiv="Windows-target" contect="_top"
2. JS Judge top-level window jump, can be easily cracked, the meaning is not big
function locationTop " Span style= "word-wrap:normal; Word-break:normal "> () { if ( Top.location!= self . Location) {top.location = self . Location; return false ; } return true ; } locationtop ();
Crack:
//top-level window put code in var location = document.location; //or var location = "";
3. Header control, most browser support
x-frame-optionsHTTPA response header is a token that is used to indicate to a browser whether a page is allowed to be <frame>
<iframe>
present or not <object>
. Websites can use this feature to ensure that the content of their site is not embedded in someone else's website, and thus avoid click Hijacking (clickjacking) attacks.
using X-frame-options
The x-frame-options has three values:
-
-
DENY
-
- indicates that the page is not allowed to be displayed in a frame, even if it is nested in a page of the same domain name.
-
-
SAMEORIGIN
-
- indicates that the page can be displayed in a frame on the same domain Name page.
-
-
ALLOW-FROM uri
-
- indicates that the page can be displayed in a frame of the specified source.
In other words, if set to DENY,不光在别人的网站 frame 嵌入时会无法加载,在同域名页面中同样会无法加载。另一方面,如果设置为
SAMEORIGIN
, then the page can be nested in the frame with the Domain Name page.
Configure Apache
Configure Apache to send x-frame-options response headers on all pages, The following line needs to be added to the ' site ' configuration:
Header always append X-Frame-Options SAMEORIGIN
Configure Nginx
Configure Nginx send X-frame-options response header, add the following line to ' http ', ' In the configuration of server ' or ' location ':
add_header X-Frame-Options SAMEORIGIN;
Configure IIS
Configure IIS to send the x-frame-options response header, adding the following configuration to the Web. config file:
<system.webServer> ... <httpprotocol> <customheaders> <add name ="x-frame-options" value ="sameorigin" /> </customheaders> </httpprotocol> ...</system.webserver>
Results
When Firefox tries to load the contents of a frame, if the X-frame-options response header is set to disable access, Firefox will show up in the frame with About:blank. Perhaps in some ways, it would be better to display the error message.
Reference article: http://blog.sina.com.cn/s/blog_67196ddc0102v2pu.html,https://developer.mozilla.org/zh-CN/docs/Web/HTTP/ X-frame-options
Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.
Use X-frame-options to prevent web pages from being Frame