问题
If I add <iframe src="https://"></iframe> to a page's HTML, the parent page is immediately redirected to a "The address is not valid" error page in IE 11. In Chrome, a blank iframe appears on the page, as I would expect. Why is this, and can it be prevented somehow? Thanks!
EDIT:
I've been testing a web app that displays a dashboard screen full of various types of components, all of which are configurable by users. Users can embed any external content they want, as long as it's served over HTTPS. I just found that, if someone tries to embed a URL of "https://", the resulting page redirection throws the application into an undesirable state. I plan to add restrictions to user input to prevent this, but I was just curious about the actual mechanism behind this parent-level redirection.
回答1:
When IE11 is directed to display a bad URL, you see an error message rendered with HTML and JavaScript that is built in to IE. That's the page that says "The address is not valid" blah blah blah.
The HTML file is called syntax.html, and it loads two JavaScript files called HttpErrorPagesScripts.js and errorpagestrings.js.
The latter file contains this code (reformatted for your viewing pleasure):
function clickRefresh()
{
var location = window.location.href;
var poundIndex = location.indexOf('#');
if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))
{
window.location.replace(location.substring(poundIndex+1));
}
}
The last line of JavaScript above performs "frame busting", which is where a website enclosed in an iframe inserts its own (or another) URL into the address bar.
In this case the iframed page inserts its own URL (which for IE-specific reasons is the original URL and not syntax.html
In browsers other than IE (real browsers), you can prevent this frame-busting behavior by using options provided in the iframe's sandbox attribute.
Adding the sandbox option with no value enables all of the sandbox protections against running JavaScript, redirecting, enabling forms (used for UI redressing) frame busting, etc.
For the full list look for "sandbox" in https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe
So in good browsers this would work fine:
<iframe src="https://" sandbox ></iframe>
(but you're still screwed with IE).
The Mozilla page says that the sandbox attribute is supported by IE starting in IE10, but I know from testing that the above approach (adding sandbox) works fine in Chrome but has no effect in IE11, so good luck there. I certainly haven't scoured the internet for IE-specific solutions to this so definitely look around.
来源:https://stackoverflow.com/questions/40162180/why-does-iframe-src-https-iframe-redirect-the-page-in-ie-11