LinuxЧÀÍÆ÷ÍøÂçÇå¾²£º±£»¤Web½Ó¿ÚÃâÊܵã»÷ЮÖƹ¥»÷¡£
LinuxЧÀÍÆ÷ÍøÂçÇå¾²£º±£»¤Web½Ó¿ÚÃâÊܵã»÷ЮÖƹ¥»÷
µã»÷ЮÖƹ¥»÷ÊÇÍøÂçÇå¾²ÁìÓòÖг£¼ûµÄÒ»ÖÖ¹¥»÷·½·¨£¬ËüʹÓÃÁËÓû§¶Ôµã»÷²Ù×÷µÄÐÅÍУ¬½«Óû§µã»÷µÄÄ¿µÄαװ³É¶ñÒâÁ´½Ó»ò°´Å¥£¬´Ó¶øÓÕʹÓû§¾ÙÐеã»÷²Ù×÷£¬²¢Ö´Ðй¥»÷ÕßÔ¤ÉèµÄ¶ñÒâÐÐΪ¡£ÔÚLinuxЧÀÍÆ÷ÍøÂçÇå¾²ÖУ¬±£»¤Web½Ó¿ÚÃâÊܵã»÷ЮÖƹ¥»÷ÊÇÒ»¸öÖ÷ÒªµÄʹÃü£¬±¾ÎĽ«ÖصãÏÈÈÝÏà¹Ø·À»¤²½·¥¡£
Ò»¡¢Ïàʶµã»÷ЮÖƹ¥»÷ÔÀí
µã»÷ЮÖƹ¥»÷ʹÓÃÁËHTMLÖеÄiframe±êÇ©ÒÔ¼°z-indexÊôÐÔµÄÌØÕ÷¡£¹¥»÷Õß»áÔÚ×Ô¼ºµÄÍøÒ³ÉϲåÈëÒ»¸ö͸Ã÷µÄiframe£¬È»ºóͨ¹ýCSSÉèÖÃz-indexÊôÐÔʹ¸ÃiframeÁýÕÖÔÚ±»¹¥»÷ÍøÒ³µÄ¿É¼ûÇøÓòÉÏ£¬²¢½«Ä¿µÄÍøҳ͸Ã÷»¯£¬×îÖÕÖ¸µ¼Óû§µã»÷¹¥»÷ÕßÔ¤ÉèµÄ°´Å¥»òÁ´½Ó¡£
¶þ¡¢Ê¹ÓÃX-Frame-Options·ÀÓùµã»÷ЮÖƹ¥»÷
X-Frame-OptionsÊÇÒ»¸öHTTPÏìӦͷ£¬ÓÃÓÚ¼û¸æä¯ÀÀÆ÷ÊÇ·ñÔÊÐíÄ¿½ñÍøÒ³±»Ç¶Èëµ½iframeÖÐÏÔʾ¡£Ò»Ñùƽ³£ÇéÐÎÏ£¬ÎÒÃÇ¿ÉÒÔÉèÖÃX-Frame-OptionsΪ¡°DENY¡±»ò¡°SAMEORIGIN¡±£¬ÒÔ×èÖ¹Ò³Ã汻ǶÌ×µ½iframeÖС£ÆäÖУ¬¡°DENY¡±ÌåÏ־ܾøËùÓеÄiframeǶÌ×£¬¡°SAMEORIGIN¡±ÌåÏÖÖ»ÔÊÐíͬԴÍøÒ³¾ÙÐÐǶÌס£
ÔÚLinuxЧÀÍÆ÷ÉÏ£¬ÎÒÃÇ¿ÉÒÔͨ¹ýÔÚWebЧÀÍÆ÷µÄÉèÖÃÎļþÖÐÌí¼ÓÒÔÏ´úÂëÀ´ÉèÖÃX-Frame-OptionsÏìӦͷ£º
Header set X-Frame-Options "SAMEORIGIN"
µÇ¼ºó¸´ÖÆ
ÕâÑùÒ»À´£¬¾Í¿ÉÒÔÏÞÖÆWeb½Ó¿Ú±»·ÇͬԴÍøҳǶÌ×£¬ÓÐÓõطÀÓùµã»÷ЮÖƹ¥»÷¡£
Èý¡¢Ê¹ÓÃContent Security Policy·ÀÓùµã»÷ЮÖƹ¥»÷
Content Security Policy£¨CSP£©ÊÇÒ»ÖÖÓÃÓÚÔöÌíWebÓ¦ÓóÌÐòÇå¾²ÐÔµÄHTTPÍ·×ֶΡ£Í¨¹ýÔÚHTTPÏìӦͷÖÐÉèÖÃCSPÕ½ÂÔ£¬¿ÉÒÔÏÞÖÆÒ³ÃæÖпÉÖ´ÐеÄJavaScript¡¢CSS¡¢×ÖÌåµÈ×ÊÔ´µÄȪԴ¡£ÔÚ·ÀÓùµã»÷ЮÖƹ¥»÷·½Ã棬ÎÒÃÇ¿ÉÒÔʹÓÃCSPÏÞÖÆÒ³Ã汻ǶÌ×µ½iframeÖеÄÇéÐΡ£
ÏÂÃæÊÇÒ»¸ö»ù±¾µÄCSPÉèÖÃʾÀý£º
Header set Content-Security-Policy "frame-ancestors 'self'"
µÇ¼ºó¸´ÖÆ
´ËÉèÖÃָʾä¯ÀÀÆ÷Ö»ÔÊÐíÄ¿½ñÍøҳǶÌ×µ½Í¬Ô´ÍøÒ³ÖУ¬´Ó¶ø±ÜÃâ±»¹¥»÷ÕßαװµÄ¶ñÒâÍøÒ³¾ÙÐÐiframeǶÌס£
ÐèҪעÖصÄÊÇ£¬CSPÉèÖÿÉÄÜÐèҪƾ֤WebÓ¦ÓóÌÐòµÄÏêϸÇéÐξÙÐж¨ÖÆ£¬È·±£²»»áÓ°Ïìµ½Õý³£ÓªÒµµÄ¾ÙÐС£
ËÄ¡¢Ê¹ÓÃJavaScript¿ØÖÆÌøת
ÔÚWebÓ¦ÓóÌÐòÖУ¬ÎÒÃÇ¿ÉÒÔʹÓÃJavaScript´úÂëÀ´¿ØÖÆÒ³ÃæÌøת£¬´Ó¶ø±ÜÃâ±»µã»÷ЮÖƹ¥»÷¡£Í¨¹ýÔÚÒ³Ãæ¼ÓÔØʱ¼ì²âtop´°¿ÚµÄÒýÓÃÊÇ·ñΪ×ÔÉí£¬»òÕßÔÚ´¥·¢Ìøתǰ¼ì²éÄ¿½ñÒ³ÃæÊÇ·ñ±»Ç¶Ì×µ½iframeÖУ¬¿ÉÒÔÓÐÓÃ×èÖ¹Óû§ÔÚ±»Ð®ÖƵÄÇéÐÎÖÐÖ´ÐÐÌøת²Ù×÷¡£
ÒÔÏÂÊÇÒ»¸öʾÀý´úÂ룺
if (top.location !== self.location) { top.location = self.location; }
µÇ¼ºó¸´ÖÆ
µ±¼ì²âµ½Ä¿½ñÒ³Ã汻ǶÌ×µ½iframeÖÐʱ£¬½«»áÇ¿ÖÆÌøתµ½Ä¿½ñÒ³ÃæµÄ¶¥²ã´°¿Ú¡£
×ܽ᣺
±£»¤Web½Ó¿ÚÃâÊܵã»÷ЮÖƹ¥»÷ÊÇLinuxЧÀÍÆ÷ÍøÂçÇå¾²ÖеÄÒ»ÏîÖ÷ҪʹÃü¡£Í¨¹ýʹÓÃX-Frame-Options¡¢Content Security PolicyÒÔ¼°JavaScript¿ØÖÆÌøת£¬¿ÉÒÔÓÐÓõØïÔ̵ã»÷ЮÖƹ¥»÷µÄΣº¦¡£È»¶ø£¬ÐèҪעÖصÄÊÇ£¬ÍøÂçÇå¾²ÊÇÒ»¸öÒ»Ö±ÑݱäµÄÁìÓò£¬Í¬Ê±»¹ÐèÒª×ÛºÏÆäËûÇå¾²²½·¥£¬°´ÆÚ¸üкÍÉý¼¶Ð§ÀÍÆ÷Èí¼þ£¬ÒÔÈ·±£Ð§ÀÍÆ÷µÄÍøÂçÇå¾²ÐÔ¡£
ÒÔÉϾÍÊÇLinuxЧÀÍÆ÷ÍøÂçÇå¾²£º±£»¤Web½Ó¿ÚÃâÊܵã»÷ЮÖƹ¥»÷¡£µÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡