如何拒绝来自iframe的网站访问?

时间:2011-12-06 08:50:35

标签: java security iframe apache2 tomcat

我注意到一些网站出于安全原因拒绝从iFrame访问其注册和登录页面。在我看来这是一个好主意。

我想知道为了做到这一点他们需要什么设置,因为我想在我的网站上做同样的事情。有问题的网站是用Java构建的,可以在Apache Tomcat上运行。

如果有人知道如何做到这一点,那么如果你能分享就会很棒。

3 个答案:

答案 0 :(得分:4)

这是我用过的,它起作用了。我从这里得到了所有东西:OWASP Clickjacking protection in java

在web.xml中,根据要强制执行的策略添加其中一个:

<display-name>OWASP ClickjackFilter</display-name>
    <filter>
        <filter-name>ClickjackFilterDeny</filter-name>
        <filter-class>org.owasp.filters.ClickjackFilter</filter-class>
        <init-param>
            <param-name>mode</param-name>
            <param-value>DENY</param-value>
        </init-param>
    </filter>

    <filter>
        <filter-name>ClickjackFilterSameOrigin</filter-name>
        <filter-class>org.owasp.filters.ClickjackFilter</filter-class>
        <init-param>
            <param-name>mode</param-name>
            <param-value>SAMEORIGIN</param-value>
        </init-param>
    </filter>

     <!--  use the Deny version to prevent anyone, including yourself, from framing the page -->
    <filter-mapping> 
        <filter-name>ClickjackFilterDeny</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <!-- use the SameOrigin version to allow your application to frame, but nobody else
    <filter-mapping> 
        <filter-name>ClickjackFilterSameOrigin</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    -->

    ...

然后在java代码中:

public class ClickjackFilter implements Filter 
{

    private String mode = "DENY";

    /**
     * Add X-FRAME-OPTIONS response header to tell IE8 (and any other browsers who
     * decide to implement) not to display this content in a frame. For details, please
     * refer to http://blogs.msdn.com/sdl/archive/2009/02/05/clickjacking-defense-in-ie8.aspx.
     */
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse res = (HttpServletResponse)response;
        //If you have Tomcat 5 or 6, there is a known bug using this code.  You must have the doFilter first:
        chain.doFilter(request, response);
        res.addHeader("X-FRAME-OPTIONS", mode );            
        //Otherwise use this:
        //res.addHeader("X-FRAME-OPTIONS", mode );          
        //chain.doFilter(request, response);

    }

    public void destroy() {
    }

    public void init(FilterConfig filterConfig) {
        String configMode = filterConfig.getInitParameter("mode");
        if ( configMode != null ) {
            mode = configMode;
        }
    }

答案 1 :(得分:3)

好吧,你应该使用 x-frame-options

阅读这篇文章,希望它有所帮助:

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

我不熟悉jsp和servlet,但我认为你可以这样做:

public class NoIFrameAllowedServlet extends HttpServlet {

  public void doGet(HttpServletRequest request,
                    HttpServletResponse response)
      throws ServletException, IOException {
      response.setHeader("X-Frame-Options", "SAMEORIGIN");
    }

答案 2 :(得分:0)

您可以使用JavaScript检测iframe:

location.href != top.location.href -> iframe.

您还可以使用“X-Frame-Options”HTTP标头。

相关问题
最新问题