If I add <iframe src="https://"></iframe> to a page's HTML, the parent page is immediately redirected to a "The address is not valid" error page in IE 11. In Chrome, a blank iframe appears on the page, as I would expect. Why is this, and can it be prevented somehow? Thanks!
EDIT:
I've been testing a web app that displays a dashboard screen full of various types of components, all of which are configurable by users. Users can embed any external content they want, as long as it's served over HTTPS. I just found that, if someone tries to embed a URL of "https://", the resulting page redirection throws the application into an undesirable state. I plan to add restrictions to user input to prevent this, but I was just curious about the actual mechanism behind this parent-level redirection.
答案 0 :(得分:1)
当指示IE11显示错误的URL时,您会看到使用内置于IE的HTML和JavaScript呈现的错误消息。那个页面上写着“地址无效”等等等等等等。
HTML文件名为syntax.html,它加载两个名为HttpErrorPagesScripts.js和errorpagestrings.js的JavaScript文件。
后一个文件包含此代码(为了您的观看乐趣而重新格式化):
function clickRefresh()
{
var location = window.location.href;
var poundIndex = location.indexOf('#');
if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))
{
window.location.replace(location.substring(poundIndex+1));
}
}
上面的JavaScript的最后一行执行“帧清除”,这是iframe中包含的网站将其自己(或另一个)URL插入地址栏的位置。
在这种情况下,iframed页面会插入自己的URL(由于IE特定的原因,它是原始URL而不是syntax.html
在IE(真实浏览器)以外的浏览器中,您可以使用iframe的sandbox属性中提供的选项来阻止此帧破坏行为。
添加没有值的sandbox选项可以防止所有沙箱保护运行JavaScript,重定向,启用表单(用于UI纠正)帧破坏等。
有关完整列表,请在https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe
所以在好的浏览器中,这样可以正常工作:
<iframe src="https://" sandbox ></iframe>
(但你还是搞砸了IE)。
Mozilla页面说IE从IE10开始支持sandbox属性,但我从测试中知道上面的方法(添加sandbox)在Chrome中工作正常但在IE11中没有效果,所以很好好运。我当然没有在互联网上搜索特定于IE的解决方案,所以一定要四处寻找。