问题
I haven't been able to find much of an answer yet, so I'm just going to ask.
How difficult would it be to stop a frame breaker from working - or even just ignore it?
回答1:
As per Jeff's question:
As it turns out, your frame-busting code can be busted, as shown here:
<script type="text/javascript">
var prevent_bust = 0
window.onbeforeunload = function() { prevent_bust++ }
setInterval(function() {
if (prevent_bust > 0) {
prevent_bust -= 2
window.top.location = 'http://server-which-responds-with-204.com'
}
}, 1)
</script>
This code does the following:
- increments a counter every time the browser attempts to navigate away from the current page, via the
window.onbeforeonloadevent handler - sets up a timer that fires every millisecond via
setInterval(), and if it sees the counter incremented, changes the current location to a server of the attacker's control - that server serves up a page with HTTP status code 204, which does not cause the browser to navigate anywhere
回答2:
This is the solution to your problem, I hope it helped!
<iframe src="URL" sandbox="allow-scripts" width="100%" height="100%" scroll="yes" frameborder="0"></iframe>
来源:https://stackoverflow.com/questions/7898503/can-you-beat-a-frame-breaker