• X-Frame-Options


    X-Frame-Options

    The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.

    The added security is provided only if the user accessing the document is using a browser that supports X-Frame-Options.

    Note: The Content-Security-Policy HTTP header has a frame-ancestors directive which obsoletes this header for supporting browsers.

    Syntax

    There are two possible directives for X-Frame-Options:

    X-Frame-Options: DENY
    X-Frame-Options: SAMEORIGIN
    

    Directives

    If you specify DENY, not only will attempts to load the page in a frame fail when loaded from other sites, attempts to do so will fail when loaded from the same site. On the other hand, if you specify SAMEORIGIN, you can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.

    DENY
    The page cannot be displayed in a frame, regardless of the site attempting to do so.
    SAMEORIGIN
    The page can only be displayed in a frame on the same origin as the page itself. The spec leaves it up to browser vendors to decide whether this option applies to the top level, the parent, or the whole chain, although it is argued that the option is not very useful unless all ancestors are also in the same origin (see bug 725490). Also see Browser compatibility for support details.
    ALLOW-FROM uri 
              This is an obsolete directive that no longer works in modern browsers. Don't use it. In supporting legacy browsers, a page can be displayed in a frame only on the specified origin uri. Note that in the legacy Firefox implementation this still suffered from the same problem as SAMEORIGIN did — it doesn't check the frame ancestors to see if they are in the same origin. The Content-Security-Policy HTTP header has a frame-ancestors directive which you can use instead.

    Configuring IIS

    To configure IIS to send the X-Frame-Options header, add this to your site's Web.config file:

    <system.webServer>
      ...
    
      <httpProtocol>
        <customHeaders>
          <add name="X-Frame-Options" value="SAMEORIGIN" />
        </customHeaders>
      </httpProtocol>
    
      ...
    </system.webServer>
    

    Or see this Microsoft support article on setting this configuration using the IIS Manager user interface.

    (一)安全防护:X-Frame-Options(点击劫持)

    漏洞描述:
    点击劫持(ClickJacking)是一种视觉上的欺骗手段。攻击者使用一个透明的iframe,覆盖在一个网页上,然后诱使用户在网页上进行操作,此时用户将在不知情的情况下点击透明的iframe页面。通过调整iframe页面的位置,可以诱使用户恰好点击在iframe页面的一些功能性按钮上。
    HTTP响应头信息中的X-Frame-Options,可以指示浏览器是否应该加载一个iframe中的页面。如果服务器响应头信息中没有X-Frame-Options,则该网站存在ClickJacking攻击风险。网站可以通过设置X-Frame-Options阻止站点内的页面被其他页面嵌入从而防止点击劫持。
    解决方案:

    修改web服务器配置,添加X-Frame-Options响应头。赋值有如下三种:
    1、DENY:不能被嵌入到任何iframe或者frame中。
    2、SAMEORIGIN:页面只能被本站页面嵌入到iframe或者frame中
    3、ALLOW-FROM uri:只能被嵌入到指定域名的框架中

    Syntax

    There are two possible directives for X-Frame-Options:

    X-Frame-Options: DENY
    X-Frame-Options: SAMEORIGIN
    

    Directives

    If you specify DENY, not only will attempts to load the page in a frame fail when loaded from other sites, attempts to do so will fail when loaded from the same site. On the other hand, if you specify SAMEORIGIN, you can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.

    DENY
    The page cannot be displayed in a frame, regardless of the site attempting to do so.
    SAMEORIGIN
    The page can only be displayed in a frame on the same origin as the page itself. The spec leaves it up to browser vendors to decide whether this option applies to the top level, the parent, or the whole chain, although it is argued that the option is not very useful unless all ancestors are also in the same origin (see bug 725490). Also see Browser compatibility for support details.
    ALLOW-FROM uri

    This is an obsolete directive that no longer works in modern browsers. Don't use it. In supporting legacy browsers, a page can be displayed in a frame only on the specified origin uri. Note that in the legacy Firefox implementation this still suffered from the same problem as SAMEORIGIN did — it doesn't check the frame ancestors to see if they are in the same origin. The Content-Security-Policy HTTP header has a frame-ancestors directive which you can use instead.

  • 相关阅读:
    04-26mysql命令(数据库操作层级,建表,对表的操作)
    mysql 建表和查询 大全 (待补全)
    04-21数据操作
    4-20 mysql 整理 (建表语句和mysql命令)
    MySql 初步整理
    初识jQuery 基础篇 借鉴版
    jQuery基础整理!!
    JS节点操作 (表格在js中添加行和单元格,并有一个删除键)
    一阶段项目结尾整理
    Css 分类 属性 选择器
  • 原文地址:https://www.cnblogs.com/chucklu/p/14440235.html
Copyright © 2020-2023  润新知