Content Marketing

Breaking Iframe: Yadda Ake Dakatar da Iframe na Abun cikin ku mara izini

Wani baƙo a rukunin yanar gizona ya taɓa sanar da ni lokacin da ya danna ɗaya daga cikin hanyoyin haɗin yanar gizo na Twitter; an kawo shi zuwa rukunin yanar gizona tare da babban bugu da gargadin lamba. Wannan ya isa in tsoratar da wani, don haka na fara yin gwaji. Babu wani abu mara kyau tare da rukunin yanar gizona - matsalar ita ce hanyar haɗin gwiwa.

Mahadar da ke wani rukunin yanar gizon ta samar da kayan aiki sama sama wanda ke ƙarfafa mutane su danna hanyar haɗin yanar gizo mara kyau yayin loda rukunin yanar gizona a cikin wani iframe a ƙasa. Ga mafi yawan jama'a, rukunin yanar gizon na zai iya zama kamar yana yada lamba mara kyau. Ba zan ce ina son kowane rukunin yanar gizon da ke lodin rukunin yanar gizona a cikin wani iframe ba, don haka na yi abin da kowane madaidaicin ma'anar zai yi… Na loda mai fashewar firam.

Iframing shafin yanar gizonku ba koyaushe ba ne na mugunta, kodayake. Mun raba kayan aiki kwanan nan, Sniply, don ƙara kira-zuwa-aiki (CTA) zuwa kowane gidan yanar gizon da kuka raba. Yana yin haka ta hanyar haɗa dukkan rukunin yanar gizonku a cikin iframe da yin amfani da div akan abun cikin ku tare da kiran-to-action.

Amma ina da kyau musamman game da abun ciki na da ƙoƙarin da na yi Martech Zone, don haka ba na son kowa ya iframe abun ciki na, ko da tare da dandalin haɗin gwiwa. A cikin yin wasu bincike, akwai hanyoyi da yawa don magance wannan.

Yadda Ake Dakatar da Iframing Abun cikin ku Tare da JavaScript

Wannan lambar JavaScript tana bincika idan taga na yanzu (self) ba shine taga mafi girma ba (top). Idan ba haka ba, wannan yana nufin shafin yana cikin firam, iframe, ko makamancin haka, kuma rubutun yana tura babbar taga zuwa ga URL na yanzu taga. Wannan yadda ya kamata balle na iframe.

<script type='text/javascript'>
if (top !== self) top.location.href = self.location.href;
</script>

Akwai ɓangarorin da yawa ga wannan hanyar:

  1. Dogaro da JavaScript: Idan mai amfani yana da kashe JavaScript, wannan hanyar ba za ta yi aiki ba.
  2. Jinkiri: Ana iya samun ɗan jinkiri kafin JavaScript ya aiwatar, lokacin da fasalin rukunin yanar gizon ku zai iya kasancewa a bayyane.
  3. Ƙuntatawa-Asali: A wasu yanayi, Manufofin asali iri ɗaya na iya hana wannan rubutun yin aiki kamar yadda aka yi niyya. Idan takaddar iyaye tana kan wani yanki na daban, ƙila ba za ta iya shiga ba top.location.href.
  4. Mai yuwuwa don Frame-Busting-Busters: Hakanan akwai rubutun (wanda ake kira frame-busting-busters) waɗanda zasu iya hana rubutun firam-busting yin aiki.

Hanya mafi kyau ita ce a yi amfani da taken martani na HTTP.

X-Frame-Zaɓuɓɓuka da Manufofin-Tsaron Abun ciki

Dukansu X-Frame-Options da kuma Content-Security-Policy (CSP) su ne taken martani na HTTP da ake amfani da su don inganta tsaron gidan yanar gizo. Kowannensu yana amfani da dalilai daban-daban kuma suna da matakan sassauƙa daban-daban.

X-Frame-Options tsohon shugaban HTTP ne da aka tsara musamman don sarrafa ko za a iya shigar da rukunin yanar gizon ku a cikin wani <frame>, <iframe>, <embed>, ko <object> a wani shafin. Yana da umarni masu yiwuwa guda uku:

  1. DENY – Ba za a iya nuna shafin a cikin firam ba, ko da kuwa rukunin yanar gizon yana ƙoƙarin yin hakan.
  2. SAMEORIGIN – Shafi za a iya kawai nuna a cikin firam a kan asali guda kamar yadda shafin kanta.
  3. ALLOW-FROM uri – Shafi za a iya kawai nuna a cikin firam a kan takamaiman asali.

Duk da haka, X-Frame-Options yana da iyaka ta yadda ba zai iya ɗaukar ƙarin hadaddun al'amura, kamar ba da damar ƙirƙira daga asali daban-daban ko amfani da katuna don ƙananan yanki. Ba duk masu bincike ba ne ke goyan bayan ALLOW-FROM umarni.

Content-Security-Policy, a gefe guda, shine mafi sassauƙa kuma mai ƙarfi HTTP header. Duk da yake yana iya yin komai X-Frame-Options na iya yi da ƙari mai yawa, babban manufarsa ita ce hana nau'ikan hare-haren allurar code, gami da rubutun giciye (XSS) da kuma dannajacking. Yana aiki ta hanyar ƙayyadaddun jeri na amintattun tushen abun ciki (rubutun, salo, hotuna, da sauransu).

Don sarrafa firam, CSP yana amfani da frame-ancestors umarni. Kuna iya ƙayyade maɓuɓɓuka da yawa, gami da yankuna da yawa da ƙananan yanki. Ga misali:

cssCopy codeContent-Security-Policy: frame-ancestors 'self' yourdomain.com *.domain2.com;

Wannan zai ba da damar tsara shafin a kan nasa rukunin yanar gizon ('self'), a kan yourdomain.com, kuma akan kowane yanki na domain2.com.

Ana ba da shawarar CSP azaman madadin X-Frame-Options, tunda tana iya sarrafa komai X-Frame-Options iya yi, da dai sauransu. Duk da yake mafi yawan masu bincike na zamani suna goyan bayan CSP, har yanzu ana iya samun wasu tsofaffi ko ƙananan burauzar da ba su da cikakken goyon bayansa.

Yadda Ake Dakatar da Iframing Abun cikin ku Tare da HTML

Yanzu akwai alamar Meta-Tsaro-Tsaro-Manufofin Meta wanda za'a iya turawa wanda ke hana ikon lalata abun cikin ku:

<meta http-equiv="Content-Security-Policy" content="frame-ancestors 'self' yourdomain.com">

Tasirin alamar meta na HTML yana da iyaka saboda ba duk masu bincike ba ne ke girmama su Content-Security-Policy lokacin da aka saita ta amfani da alamar meta.

Yadda Ake Dakatar da Iframing Abun Cikin ku Tare da Masu Kan HTTP

Yana da kyau a yi amfani da taken HTTP X-Frame-Options or Content-Security-Policy don sarrafa ƙira. Waɗannan zaɓuɓɓukan sun fi dogaro, kuma amintattu, kuma suna aiki ko da JavaScript ba a kashe shi ba. Hanyar JavaScript yakamata a yi amfani da ita azaman makoma ta ƙarshe kawai idan baku da iko akan sabar don saita taken HTTP. Ga kowane misali, maye gurbin yourdomain.com tare da ainihin yankinku.

Apache – Gyara ku .htaccess fayil kamar haka:

Header always set X-Frame-Options SAMEORIGIN
Header always set Content-Security-Policy "frame-ancestors 'self' yourdomain.com"

Nginx – Gyara toshewar uwar garken ku kamar haka:

add_header X-Frame-Options SAMEORIGIN;
add_header Content-Security-Policy "frame-ancestors 'self' yourdomain.com";

IIS – yi haka ta ƙara masu zuwa ga naka web.config fayil:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="Content-Security-Policy" value="frame-ancestors 'self' yourdomain.com" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

WordPress - yi wannan ta ƙara wannan lambar zuwa fayil ɗin ayyuka.php:

function add_security_headers() {
  header('X-Frame-Options: SAMEORIGIN');
  header("Content-Security-Policy: frame-ancestors 'self' yourdomain.com");
}
add_action('send_headers', 'add_security_headers');

Waɗannan ƙa'idodin za su ba da damar shigar da shafinku kawai a cikin iframes akan ainihin yankin da kuka ƙayyade, ba akan kowane yanki na yanki ba. Idan kana so ka ƙyale wasu ƙananan yankuna, dole ne ka jera su a sarari, kamar subdomain1.yourdomain.com subdomain2.yourdomain.com, da sauransu.

Bada Iframing Abun cikin ku Daga Wuraren Maɗaukaki

Kuna iya ƙididdige yankuna da yawa tare da taken amsawar HTTP-Tsaro-Tsaro-Manufofin HTTP da umarnin firam-kakanni. Ya kamata sarari ya ware kowane yanki. Ga misali:

Content-Security-Policy: frame-ancestors 'self' domain1.com domain2.com domain3.com;

Apache – Gyara ku .htaccess fayil kamar haka:

Header always set X-Frame-Options SAMEORIGINHeader always set Content-Security-Policy "frame-ancestors 'self' domain1.com domain2.com domain3.com"

Nginx – Gyara toshewar uwar garken ku kamar haka:

add_header X-Frame-Options SAMEORIGIN;add_header Content-Security-Policy "frame-ancestors 'self' domain1.com domain2.com domain3.com";

IIS – yi haka ta ƙara masu zuwa ga naka web.config fayil:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="SAMEORIGIN" />
      <add name="Content-Security-Policy" value="frame-ancestors 'self' domain1.com domain2.com domain3.com" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

Bada Iframing Abun cikin ku Daga Domain Katin Daji

Hakanan zaka iya ƙididdige katin ƙirƙira don duk yankin yanki tare da Content-Security-Policy Babban martani na HTTP da umarnin firam-magabatan. Ga misalai na Content-Security-Policy lambar da ke buƙatar sabuntawa:

Content-Security-Policy: frame-ancestors 'self' *.yourdomain.com;

Apache – Gyara ku .htaccess fayil kamar haka:

Header always set Content-Security-Policy "frame-ancestors 'self' *.yourdomain.com"

Nginx – Gyara toshewar uwar garken ku kamar haka:

add_header Content-Security-Policy "frame-ancestors 'self' *.domain1.com *.domain2.com *.domain3.com";

IIS – yi haka ta ƙara masu zuwa ga naka web.config fayil:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="Content-Security-Policy" value="frame-ancestors 'self' *.yourdomain.com" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

Douglas Karr

Douglas Karr shine CMO Bude INSIGHTS kuma wanda ya kafa Martech Zone. Douglas ya taimaka da yawa na nasara MarTech farawa, ya taimaka a cikin ƙwazo na sama da $5 biliyan a Martech saye da zuba jari, kuma ya ci gaba da taimaka wa kamfanoni wajen aiwatar da sarrafa sarrafa tallace-tallace da dabarun talla. Douglas ƙwararren ƙwararren dijital ne na duniya kuma ƙwararren MarTech kuma mai magana. Douglas kuma marubuci ne da aka buga na jagorar Dummie da kuma littafin jagoranci na kasuwanci.

shafi Articles

Komawa zuwa maɓallin kewayawa
Close

An Gano Adblock

Martech Zone zai iya ba ku wannan abun cikin ba tare da farashi ba saboda muna yin monetize da rukunin yanar gizon mu ta hanyar kudaden talla, hanyoyin haɗin gwiwa, da tallafi. Za mu yi godiya idan za ku cire mai hana tallan ku yayin da kuke duba rukunin yanar gizon mu.