XFS Cross Frame Scripting

避免頁面被內嵌

html head 設定

Content Security Policy :CSP 設定

    <head>
        <meta http-equiv="Content-Security-Policy" content="frame-ancestors 'none';" />
    </head>

js location 轉導

browser 可停用

    <head>
        <script type="text/javascript">
            if (top != self) {
                top.location = self.location;
            }
         </script>
    </head>

filter

X-Frame-Options, 下面範例是 tomcat 處理方式。不同 container 處理方式不同。

web.xml

        <!-- XFS -->
        <filter>
            <filter-name>httpHeaderSecurity</filter-name>
            <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
            <init-param>
                <param-name>antiClickJackingOption</param-name>
                <param-value>SAMEORIGIN</param-value>
            </init-param>
        </filter>
        <filter-mapping>
            <filter-name>httpHeaderSecurity</filter-name>
            <url-pattern>/*</url-pattern>
        </filter-mapping>

避免頁面被內嵌​

html head 設定​

js location 轉導​

filter​

避免頁面被內嵌

html head 設定

js location 轉導

filter