Frame-Options 是一个标准还是只是一个没有批准时间表的草案?
Is Frame-Options a standard or it's only a draft with no schedule to approve?
OWASP 有一个 page where they suggest to use x-frame-options and frame-options to prevent clickjacking. The latter is defined as a draft 几年前,但我找不到关于该草案的任何实施或接受的信息。它是否被接受,是否计划或换句话说它的状态是什么,我们应该添加它还是现在只使用 x-frame-options。
建议服务器响应X-Frame-Options header 不管草稿是否被批准。我从 Acunetix 漏洞描述中提取了以下内容:
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
我的印象是草案未标准化(至少在 post 时如此),因为 X-Frame-Options 在不同的浏览器中以不同的方式实现,导致意想不到的结果和行为——然而,这这只是我的猜测,可能出于完全不同的原因。
Frame-Options不标准
新标准是使用CSP's frame-ancestors directive。
The frame-ancestors directive specifies valid parents that may embed
a page using the <frame> and <iframe> elements. This directive is not
supported in the element or by the
Content-Security-Policy-Report-Only header field.
因为这是一个新标准(see browser support here), it is advised to also use X-Frame-Options 同时,您的平台支持的所有浏览器要么迎头赶上,要么逐渐淘汰。
OWASP 有一个 page where they suggest to use x-frame-options and frame-options to prevent clickjacking. The latter is defined as a draft 几年前,但我找不到关于该草案的任何实施或接受的信息。它是否被接受,是否计划或换句话说它的状态是什么,我们应该添加它还是现在只使用 x-frame-options。
建议服务器响应X-Frame-Options header 不管草稿是否被批准。我从 Acunetix 漏洞描述中提取了以下内容:
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
我的印象是草案未标准化(至少在 post 时如此),因为 X-Frame-Options 在不同的浏览器中以不同的方式实现,导致意想不到的结果和行为——然而,这这只是我的猜测,可能出于完全不同的原因。
Frame-Options不标准
新标准是使用CSP's frame-ancestors directive。
The frame-ancestors directive specifies valid parents that may embed a page using the
<frame>and<iframe>elements. This directive is not supported in the element or by the Content-Security-Policy-Report-Only header field.
因为这是一个新标准(see browser support here), it is advised to also use X-Frame-Options 同时,您的平台支持的所有浏览器要么迎头赶上,要么逐渐淘汰。