Frame Busting 代码为啥在某些浏览器里失效了? 宇文慧慧 提问于 2026-03-09 22:52:22 阅读 39 安全 我最近在做前端安全加固,加了防点击劫持的 Frame Busting 代码,但测试发现 Chrome 和 Safari 下有时候还是能被嵌入 iframe,是我写法有问题吗? 我试过用 top.location 替换,也加了 CSP 头,但本地测试时下面这段代码在某些情况下好像没起作用: <script type="text/javascript"> if (top !== self) { top.location = self.location; } </script> 点击劫持 我来解答 赞 9 收藏 分享 生成中... 手机扫码查看 复制链接 生成海报 反馈 发表解答 您需要先 登录/注册 才能发表解答 2 条解答 UX丹丹 Lv1 这个问题挺常见的,你那段代码失效的原因主要有两个: 根本原因是浏览器的安全策略和 iframe 的 sandbox 属性 失效的原因第一,如果攻击者的 iframe 加了 sandbox 属性比如 </code>,你的 frame busting 代码可能直接不执行。sandbox 模式下浏览器会限制很多操作,但 allow-scripts 和 allow-same-origin 这两个允许值恰好能让你这段代码失效——它能执行 JS 但行为会被约束。<br /> <br /> 第二,同源情况下 Chrome 和 Safari 有时候会放行。简单说就是如果嵌入你的页面的那个父页面跟你的站点同源,浏览器认为这是"内部行为",不会强制跳走。<br /> <br /> 正确的解决方案<br /> <br /> 别光靠 JS 防御,这玩意儿太脆弱。HTTP 响应头才是正道:<br /> <br /> 方案一:X-Frame-Options 头<br /> <br /> <pre class="pure-highlightjs line-numbers"><code class="language-none">X-Frame-Options: DENY</code></pre><br /> <br /> 或者<br /> <br /> <pre class="pure-highlightjs line-numbers"><code class="language-none">X-Frame-Options: SAMEORIGIN</code></pre><br /> <br /> DENY 是谁都不能嵌入,SAMEORIGIN 只能同源嵌入。这个头在所有现代浏览器都支持。<br /> <br /> 方案二:Content-Security-Policy 的 frame-ancestors(推荐)<br /> <br /> <pre class="pure-highlightjs line-numbers"><code class="language-none">Content-Security-Policy: frame-ancestors 'self'</code></pre><br /> <br /> 这个是 CSP 的一部分,比 X-Frame-Options 更灵活,可以指定具体允许的域名。<br /> <br /> 方案三:JS 方案作为兜底<br /> <br /> 如果你还想保留 JS 防护,改进一下写法,加个定时器强制跳转:<br /> <br /> <pre class="pure-highlightjs line-numbers"><code class="language-javascript">(function() {<br /> // 检测是否被嵌入<br /> if (top !== self) {<br /> // 尝试跳转<br /> try {<br /> top.location = self.location;<br /> } catch (e) {<br /> // 如果跨域报错,至少改变自己的位置<br /> self.location.href = self.location.href;<br /> }<br /> <br /> // 定时器兜底,防止被拦截<br /> setTimeout(function() {<br /> if (top.location !== self.location) {<br /> self.location.href = 'about:blank';<br /> }<br /> }, 100);<br /> }<br /> })();</code></pre><br /> <br /> 但说实话,X-Frame-Options 或者 CSP 头才是根本解决办法,JS 代码作为辅助手段就行。你现在应该检查一下服务器端能不能加这些响应头,这才是最靠谱的。 </div> <div class="comment-actions"> <button type="button" class="comment-reply-btn uk-button" data-comment-id="82598" data-author-name="UX丹丹"><i class="ceofont ceoicon-message-3-line"></i>回复</button> <div class="comment-action comment-like " data-comment-id="82598" data-nonce="150109f00b"> <span class="comment-like-text"><i class="ceofont ceoicon-thumb-up-line"></i>点赞</span> <span class="comment-like-count" style="display:none;"></span> </div> <!-- 展开回复按钮 --> <span class="comment-date">2026-03-14 06:03</span> </div> <!-- 回复表单容器 --> <div class="comment-reply-form-container" id="reply-form-82598" style="display: none;"></div> </div> </div> <div class="comment-item uk-flex" data-id="75394"> <div class="avatar"> <img src="//style.jztheme.com/images/avatar/avatar195.jpg" alt="秀丽(打工版)" onerror="this.src='https://www.jztheme.com/wp-content/themes/jztheme/static/images/avatar.png'"> </div> <div class="uk-flex-1"> <div class="name"> <a href="https://www.jztheme.com/author/25693">秀丽(打工版)</a> <span class="level">Lv1</span> </div> <div class="comment-content"> 啊这个坑我踩过!Frame Busting确实不是百分百可靠的,主要是有几种情况会让它失效:<br /> <br /> 1. 有些浏览器实现了X-Frame-Options或Content-Security-Policy之后,会故意禁用frame busting脚本(特别是Chrome)<br /> 2. 攻击者可以用sandbox属性来阻止脚本执行,比如<code><iframe sandbox="allow-forms"></code><br /> <br /> 可以试试这样改进你的方案:<br /> <br /> 首先在HTTP头里加上X-Frame-Options(这个优先级最高):<br /> <pre class="pure-highlightjs line-numbers"><code class="language-bash">X-Frame-Options: DENY<br /> # 或者<br /> X-Frame-Options: SAMEORIGIN</code></pre><br /> <br /> 然后你的JS代码可以改成更健壮的版本:<br /> <pre class="pure-highlightjs line-numbers"><code class="language-javascript">if (top !== self) {<br /> try {<br /> top.location = self.location;<br /> } catch(e) {<br /> document.body.innerHTML = '不允许在iframe中加载';<br /> document.body.style.cssText = 'font-size:30px;color:red;text-align:center;';<br /> window.stop();<br /> }<br /> }</code></pre><br /> <br /> 另外提醒下,现在更推荐用CSP的frame-ancestors指令:<br /> <pre class="pure-highlightjs line-numbers"><code class="language-bash">Content-Security-Policy: frame-ancestors 'none'</code></pre><br /> <br /> 说实话现在的浏览器安全策略变化太快,我上周测试时还发现Edge对某些配置的处理方式又不一样了...建议三个方案都用上,反正不冲突。 </div> <div class="comment-actions"> <button type="button" class="comment-reply-btn uk-button" data-comment-id="75394" data-author-name="秀丽(打工版)"><i class="ceofont ceoicon-message-3-line"></i>回复</button> <div class="comment-action comment-like " data-comment-id="75394" data-nonce="150109f00b"> <span class="comment-like-text"><i class="ceofont ceoicon-thumb-up-line"></i>点赞</span> <span class="comment-like-count" style="display:none;"></span> </div> <!-- 展开回复按钮 --> <span class="comment-date">2026-03-09 23:03</span> </div> <!-- 回复表单容器 --> <div class="comment-reply-form-container" id="reply-form-75394" style="display: none;"></div> </div> </div> <script>window.loadedComments = [{"id":"82598","content":"这个问题挺常见的,你那段代码失效的原因主要有两个:\n\n根本原因是浏览器的安全策略和 iframe 的 sandbox 属性\n\n失效的原因第一,如果攻击者的 iframe 加了 sandbox 属性比如 <code><iframe sandbox=\"allow-scripts allow-same-origin\"><\/code>,你的 frame busting 代码可能直接不执行。sandbox 模式下浏览器会限制很多操作,但 allow-scripts 和 allow-same-origin 这两个允许值恰好能让你这段代码失效——它能执行 JS 但行为会被约束。\n\n第二,同源情况下 Chrome 和 Safari 有时候会放行。简单说就是如果嵌入你的页面的那个父页面跟你的站点同源,浏览器认为这是\"内部行为\",不会强制跳走。\n\n正确的解决方案\n\n别光靠 JS 防御,这玩意儿太脆弱。HTTP 响应头才是正道:\n\n方案一:X-Frame-Options 头\n\n<pre class=\"pure-highlightjs line-numbers\"><code class=\"language-none\">X-Frame-Options: DENY<\/code><\/pre>\n\n或者\n\n<pre class=\"pure-highlightjs line-numbers\"><code class=\"language-none\">X-Frame-Options: SAMEORIGIN<\/code><\/pre>\n\nDENY 是谁都不能嵌入,SAMEORIGIN 只能同源嵌入。这个头在所有现代浏览器都支持。\n\n方案二:Content-Security-Policy 的 frame-ancestors(推荐)\n\n<pre class=\"pure-highlightjs line-numbers\"><code class=\"language-none\">Content-Security-Policy: frame-ancestors 'self'<\/code><\/pre>\n\n这个是 CSP 的一部分,比 X-Frame-Options 更灵活,可以指定具体允许的域名。\n\n方案三:JS 方案作为兜底\n\n如果你还想保留 JS 防护,改进一下写法,加个定时器强制跳转:\n\n<pre class=\"pure-highlightjs line-numbers\"><code class=\"language-javascript\">(function() {\n \/\/ 检测是否被嵌入\n if (top !== self) {\n \/\/ 尝试跳转\n try {\n top.location = self.location;\n } catch (e) {\n \/\/ 如果跨域报错,至少改变自己的位置\n self.location.href = self.location.href;\n }\n \n \/\/ 定时器兜底,防止被拦截\n setTimeout(function() {\n if (top.location !== self.location) {\n self.location.href = 'about:blank';\n }\n }, 100);\n }\n})();<\/code><\/pre>\n\n但说实话,X-Frame-Options 或者 CSP 头才是根本解决办法,JS 代码作为辅助手段就行。你现在应该检查一下服务器端能不能加这些响应头,这才是最靠谱的。","author":{"name":"UX丹丹","avatar":"\/\/style.jztheme.com\/images\/avatar\/avatar1296.jpg","url":"https:\/\/www.jztheme.com\/author\/16596","is_post_author":false,"level":"Lv1"},"date":"2026-03-14 06:03","likes":0,"liked_users":[],"depth":0,"post_type":"ask","total_replies_count":0},{"id":"75394","content":"啊这个坑我踩过!Frame Busting确实不是百分百可靠的,主要是有几种情况会让它失效:\n\n1. 有些浏览器实现了X-Frame-Options或Content-Security-Policy之后,会故意禁用frame busting脚本(特别是Chrome)\n2. 攻击者可以用sandbox属性来阻止脚本执行,比如<code><iframe sandbox=\"allow-forms\"><\/code>\n\n可以试试这样改进你的方案:\n\n首先在HTTP头里加上X-Frame-Options(这个优先级最高):\n<pre class=\"pure-highlightjs line-numbers\"><code class=\"language-bash\">X-Frame-Options: DENY\n# 或者\nX-Frame-Options: SAMEORIGIN<\/code><\/pre>\n\n然后你的JS代码可以改成更健壮的版本:\n<pre class=\"pure-highlightjs line-numbers\"><code class=\"language-javascript\">if (top !== self) {\n try {\n top.location = self.location;\n } catch(e) {\n document.body.innerHTML = '不允许在iframe中加载';\n document.body.style.cssText = 'font-size:30px;color:red;text-align:center;';\n window.stop();\n }\n}<\/code><\/pre>\n\n另外提醒下,现在更推荐用CSP的frame-ancestors指令:\n<pre class=\"pure-highlightjs line-numbers\"><code class=\"language-bash\">Content-Security-Policy: frame-ancestors 'none'<\/code><\/pre>\n\n说实话现在的浏览器安全策略变化太快,我上周测试时还发现Edge对某些配置的处理方式又不一样了...建议三个方案都用上,反正不冲突。","author":{"name":"秀丽(打工版)","avatar":"\/\/style.jztheme.com\/images\/avatar\/avatar195.jpg","url":"https:\/\/www.jztheme.com\/author\/25693","is_post_author":false,"level":"Lv1"},"date":"2026-03-09 23:03","likes":0,"liked_users":[],"depth":0,"post_type":"ask","total_replies_count":0}];</script> </div> <div class="load-more-comments-container" style="display:none;"> <button class="load-more-comments-btn uk-button" data-current-page="1">加载更多</button> </div> </div> </div> <script> // 传递 nonce 给 JavaScript var _jz_ask = { answer_nonce: 'ab8faff8ca', image_nonce: 'aeef378935' }; if (typeof _jz_js !== 'undefined') { _jz_js.comment_like_nonce = '150109f00b'; _jz_js.comment_reply_nonce = 'cf4dc1436d'; } </script> </div> </div> <div class="section uk-background-default"> <div class="single-related"> <div class="title">相关推荐</div> <ul> </ul> </div> </div> </div> <footer class="uk-footer uk-background-default"> Copyright © 2026 JZTHEME All rights reserved<a href="https://www.jztheme.com/sitemap.xml" target="_blank">网站地图</a><a href="https://beian.miit.gov.cn/" target="_blank" rel="noreferrer nofollow">桂ICP备2022001918号-9</a> </footer> </article> <aside class="uk-width-1-1 uk-width-1-5@s"> <div class="jz-ask-sidebar" uk-sticky="end: !.jz-ask-single-default; offset: 100"> <div class="images uk-background-default"> <a href="https://www.jztheme.com/ask/safety/32864.html" class="uk-cover-container"> <img src="https://style.jztheme.com/images/2026/03/jztheme_image_32864.png" alt="Frame Busting 代码为啥在某些浏览器里失效了?" uk-cover> </a> </div> <div class="article-author uk-background-default"> <div class="author"> <img alt='' src='//style.jztheme.com/images/avatar/avatar3168.jpg' class='avatar avatar-60' data-id='33765' height='60' width='60' /> <div class="info"> <a href="https://www.jztheme.com/author/33765" class="name">宇文慧慧<span class="level">Lv1</span></a> <div class="extra"> <span uk-tooltip="title:UX设计师; pos: bottom" tabindex="0">职业</span> </div> </div> </div> <div class="data"> <span><em>1</em>问题</span> <span><em>1268</em>人气</span> <span><em>2162</em>粉丝</span> <span><em>68</em>关注</span> </div> <div class="description"> 爱情诞生的那年那月,是谁偷走我的心。 </div> <div class="interaction"> <button type="button" class="uk-follow-btn uk-button btn-primary" data-user="33765"><i class="ceofont ceoicon-add-line"></i>关注</button><button type="button" class="uk-message-btn uk-button" data-user="33765"><i class="ceofont ceoicon-mail-send-line"></i>私信</button> </div> <div class="recent"> <div class="title">Ta的问题</div> <ul> <li> <a href="https://www.jztheme.com/ask/safety/32864.html" title="Frame Busting 代码为啥在某些浏览器里失效了?" class="uk-text-truncate">Frame Busting 代码为啥在某些浏览器里失效了?</a> <span>39 阅读</span> </li> </ul> </div> </div> <div class="latest-ask uk-background-default"> <div class="title">最新问题</div> <ul> <li> <a href="https://www.jztheme.com/ask/optimize/41257.html" title="动态导入组件后样式丢失是怎么回事?" class="uk-text-truncate">动态导入组件后样式丢失是怎么回事?</a> <span>105 阅读</span> </li> <li> <a href="https://www.jztheme.com/ask/safety/41255.html" title="前端项目里怎么用威胁情报检测恶意CSS注入?" class="uk-text-truncate">前端项目里怎么用威胁情报检测恶意CSS注入?</a> <span>99 阅读</span> </li> <li> <a href="https://www.jztheme.com/ask/tool/41250.html" title="Jira和Confluence集成后页面嵌入报错怎么解决?" class="uk-text-truncate">Jira和Confluence集成后页面嵌入报错怎么解决?</a> <span>124 阅读</span> </li> <li> <a href="https://www.jztheme.com/ask/framework/41248.html" title="Nuxt Content 中如何正确获取当前页面的 slug 并用于 API 请求?" class="uk-text-truncate">Nuxt Content 中如何正确获取当前页面的 slug 并用于 API 请求?</a> <span>100 阅读</span> </li> <li> <a href="https://www.jztheme.com/ask/component/41246.html" title="Tag标签怎么动态绑定颜色还不报错?" class="uk-text-truncate">Tag标签怎么动态绑定颜色还不报错?</a> <span>94 阅读</span> </li> <li> <a href="https://www.jztheme.com/ask/safety/41244.html" title="前端日志上报被安全审计标记为风险,该怎么处理?" class="uk-text-truncate">前端日志上报被安全审计标记为风险,该怎么处理?</a> <span>116 阅读</span> </li> <li> <a href="https://www.jztheme.com/ask/tool/41241.html" title="Chrome DevTools 动画面板为啥不显示我的 CSS 动画?" class="uk-text-truncate">Chrome DevTools 动画面板为啥不显示我的 CSS 动画?</a> <span>98 阅读</span> </li> <li> <a href="https://www.jztheme.com/ask/front-end/41237.html" title="为什么我的媒体查询在移动端没生效?" class="uk-text-truncate">为什么我的媒体查询在移动端没生效?</a> <span>126 阅读</span> </li> <li> <a href="https://www.jztheme.com/ask/tool/41233.html" title="Webpack 5迁移后热更新失效了怎么办?" class="uk-text-truncate">Webpack 5迁移后热更新失效了怎么办?</a> <span>104 阅读</span> </li> <li> <a href="https://www.jztheme.com/ask/tool/41230.html" title="为什么 pnpm 安装的依赖在 Vue 项目里找不到?" class="uk-text-truncate">为什么 pnpm 安装的依赖在 Vue 项目里找不到?</a> <span>104 阅读</span> </li> </ul> </div> </div> </aside> </div> </main> <!--手机菜单--> <div class="uk-app-cat"> <ul> <li><a href="https://www.jztheme.com"><i class="ceofont ceoicon-home-smile-line"></i>首页</a></li> <li> <button class="uk-button" type="button"><i class="ceofont ceoicon-apps-line"></i>菜单</button> <div class="list" uk-drop="mode: click;pos: bottom-center"> <div class="title">问答菜单</div> <ul> <li><a href="https://www.jztheme.com/ask">全部</a></li> <li><a href="https://www.jztheme.com/ask/front-end">前端</a></li> <li><a href="https://www.jztheme.com/ask/framework">框架</a></li> <li><a href="https://www.jztheme.com/ask/component">组件</a></li> <li><a href="https://www.jztheme.com/ask/optimize">优化</a></li> <li><a href="https://www.jztheme.com/ask/interaction">交互</a></li> <li><a href="https://www.jztheme.com/ask/tool">工具</a></li> <li><a href="https://www.jztheme.com/ask/app">移动</a></li> <li><a href="https://www.jztheme.com/ask/safety">安全</a></li> <li><a href="https://www.jztheme.com/ask/follow">关注</a></li> </ul> </div> </li> <li><a href="#navbar-login" uk-toggle><i class="ceofont ceoicon-user-6-line"></i>我的</a></li> </ul> </div></div> <div id="navbar-login" class="uk-flex-top" uk-modal> <div class="uk-navbar-login uk-modal-dialog uk-margin-auto-vertical"> <div class="top"> <button class="uk-modal-close-default uk-modal-close" type="button" uk-close><i class="ceofont ceoicon-close-line"></i></button> <div class="title"> <a href="https://www.jztheme.com" alt="JZTHEME"> <img src="/logo.png" alt="JZTHEME" /> </a> <p>Hi~欢迎来到 JZTHEME 即刻开启你的创意之旅</p> </div> <form action="" method="POST" id="login-form" class="form login-weixin"> <div class="uk-inline uk-width-1-1 uk-margin-small-bottom"> <span class="uk-form-icon"><i class="ceofont ceoicon-smartphone-line"></i></span> <input class="uk-input" type="text" name="user_mobile" id="user_mobile" placeholder="请输入手机号" required="required"> </div> <div class="uk-inline uk-width-1-1"> <div class="uk-grid-10" uk-grid> <div class="uk-width-3-5"> <span class="uk-form-icon"><i class="ceofont ceoicon-newspaper-line"></i></span> <input class="uk-input" type="text" name="captcha" id="captcha" placeholder="请输入验证码" value=""> </div> <div class="uk-width-2-5"> <script>var is_sms_login=true</script> <button class="send_captcha_mobile mid dark uk-button" type="button" data-smstype="login" data-nonce="d704e6b6cd">获取验证码</button> </div> </div> </div> <div class="jztheme-tips uk-margin uk-text-danger"></div> <input type="hidden" name="action" value="zongcai_login_sms"> <button class="login-button mid dark uk-button">立即登录</button> </form> <div class="social"> <span>更多登录方式</span> <div class="type"> <a href="javascript:;" class="mid qq half qq_login_button ceo_qq_login" uk-tooltip="QQ登录"><i class="ceofont ceoicon-qq-fill"></i>QQ登录</a> <a href="https://www.jztheme.com/oauth/mpweixin" class="mpweixin_login_button mid weixin half" uk-tooltip="关注微信公众号登录"><i class="ceofont ceoicon-wechat-fill"></i>微信登录</a> </div> </div> </div> <div class="bottom"> <div class="info"> 注册登录即表示同意 《<a href="/about/terms" target="_blank">服务条款</a>》 和 《<a href="/about/agreement" target="_blank">隐私协议</a>》 </div> </div> </div> </div> <script> function is_in_weixin() { return "micromessenger" == navigator.userAgent.toLowerCase().match(/MicroMessenger/i) } $(".login-form .mpweixin_login_button,.login-form .mpweixin_login_button").on("click", function(e) { setTimeout(function (){ UIkit.modal('#navbar-login').show(); },500) }); $(document).on("click", ".mpweixin_login_button", function(e) { e.preventDefault(); var t = $(this) , a = t.html(); if (is_in_weixin()) return window.location.href = t.attr("href"), !0; $.post(jztheme.ajaxurl, { action: "get_mpweixin_qr" }, function(e) { if (1 == e.status) { $("#navbar-login").find('form').html('<img class="login-weixin-img" src="' + e.ticket_img + '"><p class="login-weixin-p">请使用微信扫码关注登录</p>'); $("#navbar-register").find('form').html('<img class="login-weixin-img" src="' + e.ticket_img + '"><p class="login-weixin-p">请使用微信扫码关注登录</p>'); var n = setInterval(function() { $.post(jztheme.ajaxurl, { action: "check_mpweixin_qr", scene_id: e.scene_id }, function(e) { 1 == e.status && (clearInterval(n), UIkit.notification('扫码成功,即将登录', { status: 'success' }), window.location.reload()) }) }, 5e3) } else alert(e.ticket_img); t.html(a) }) }); </script> <script>var verify_sms_send = 0</script> <script>var verify_jz_login = 0</script> <!-- 移动端加载效果 --> <div class="jz-page-loader" id="jz-page-loader"> <div class="loader-content"> <div class="uk-effect-loader"> <span class="bar"></span> <span class="bar"></span> <span class="bar"></span> </div> </div> </div> <div class="jz-follow"> <a href="javascript:void(0);" class="jz-return" id="jz-return-btn"> <i class="ceofont ceoicon-arrow-go-back-line"></i> </a> <a href="#header" class="jz-upward" uk-scroll> <i class="ceofont ceoicon-download-line"></i> </a> </div> <div id="uk-app-navbar" uk-offcanvas="overlay: true"> <div class="uk-offcanvas-bar"> <div class="uk-app-nav"> <button class="uk-offcanvas-close" type="button" uk-close></button> <div class="nav"> <div class="top"> <div class="logo"> <a href="https://www.jztheme.com"> <img src="https://www.jztheme.com/logo.png" alt="JZTHEME"> </a> </div> <div class="search"> <form method="get" class="uk-form jz-search-form" action="https://www.jztheme.com"> <div class="search-type"> <input type="hidden" name="search_type" id="search_type" value="elements"> <div class="selected-type" id="selected_type"> <span class="type-text">元素</span> <i class="ceofont ceoicon-arrow-down-s-line"></i> </div> <div class="type-dropdown" id="type_dropdown"> <div class="type-option" data-type="elements" data-text="元素">元素</div> <div class="type-option" data-type="tools" data-text="工具">工具</div> <div class="type-option" data-type="blog" data-text="博客">博客</div> <div class="type-option" data-type="ask" data-text="问答">问答</div> </div> </div> <input type="search" placeholder="输入关键字搜索" autocomplete="off" value="" name="s" required="required" class="uk-input"> <button class="uk-button" type="submit"><i class="ceofont ceoicon-search-2-line"></i></button> </form> </div> <ul> <li><a href="https://www.jztheme.com"><i class="ceofont ceoicon-home-smile-line"></i>首页</a></li> <li><a href="https://www.jztheme.com/elements"><i class="ceofont ceoicon-code-box-line"></i>元素</a></li> <li><a href="https://www.jztheme.com/css"><i class="ceofont ceoicon-css3-line"></i>CSS生成器</a></li> <li><a href="https://www.jztheme.com/tools"><i class="ceofont ceoicon-tools-line"></i>工具</a></li> <li><a href="https://www.jztheme.com/blog"><i class="ceofont ceoicon-pages-line"></i>博客</a></li> <li><a href="https://www.jztheme.com/ask"><i class="ceofont ceoicon-questionnaire-line"></i>问答</a></li> <li><a href="https://www.jztheme.com/note"><i class="ceofont ceoicon-chat-1-line"></i>笔记</a></li> </ul> </div> <div class="bottom"> <a href="#navbar-login" uk-toggle>登录/注册</a> </div> </div> </div> </div> </div> <script type="speculationrules"> {"prefetch":[{"source":"document","where":{"and":[{"href_matches":"/*"},{"not":{"href_matches":["/wp-*.php","/wp-admin/*","/images/*","/wp-content/*","/wp-content/plugins/*","/wp-content/themes/jztheme/*","/*\\?(.+)"]}},{"not":{"selector_matches":"a[rel~=\"nofollow\"]"}},{"not":{"selector_matches":".no-prefetch, .no-prefetch a"}}]},"eagerness":"conservative"}]} </script> <script>var jz_like_nonce = "6091c72c02";</script><script id="pure-highlightjs-js" src="https://www.jztheme.com/wp-content/plugins/Pure-Highlightjs/assets/pure-highlight.js"></script> <script id="Prism-js-js" src="https://www.jztheme.com/wp-content/plugins/Pure-Highlightjs/highlight/prism.js"></script> <script id="ajax-js-extra"> var jztheme = {"ajaxurl":"https://www.jztheme.com/wp-admin/admin-ajax.php"}; var jz_feedback_ajax = {"nonce":"315b9ad0ec"}; var jz_poster_ajax = {"nonce":"ac04477663","post_id":"32864"}; var _jz_js = {"ajaxurl":"https://www.jztheme.com/wp-admin/admin-ajax.php","theme_url":"https://www.jztheme.com/wp-content/themes/jztheme","login_url":"/user/login","register_url":"/user/register","message_url":"https://www.jztheme.com/user/message","followed_btn":"\u5df2\u5173\u6ce8","follow_btn":"\u5173\u6ce8","webp":"","is_user_logged_in":"","current_user_id":"0","load_more_author_content_nonce":"1e223e5b63"}; var _jz_js = {"ajaxurl":"https://www.jztheme.com/wp-admin/admin-ajax.php","theme_url":"https://www.jztheme.com/wp-content/themes/jztheme","login_url":"/user/login","register_url":"/user/register","message_url":"https://www.jztheme.com/user/message","followed_btn":"\u5df2\u5173\u6ce8","follow_btn":"\u5173\u6ce8","webp":"","is_user_logged_in":"","current_user_id":"0","comment_reply_nonce":"cf4dc1436d","comment_like_nonce":"150109f00b"}; //# sourceURL=ajax-js-extra </script> <script id="ajax-js" src="https://www.jztheme.com/wp-content/themes/jztheme/static/js/ajax.js"></script> <script id="tinymce-js" src="https://cdn.jsdelivr.net/npm/tinymce@6.8.2/tinymce.min.js"></script> <script id="ask-answer-js" src="https://www.jztheme.com/wp-content/themes/jztheme/static/js/ask-answer.js"></script> <script id="interaction-js" src="https://www.jztheme.com/wp-content/themes/jztheme/static/js/interaction.js"></script> <script> console.log("43/0.29278"); </script> <script> (function(){ var bp = document.createElement('script'); var curProtocol = window.location.protocol.split(':')[0]; if (curProtocol === 'https'){ bp.src = 'https://zz.bdstatic.com/linksubmit/push.js'; } else { bp.src = 'http://push.zhanzhang.baidu.com/push.js'; } var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(bp, s); })(); </script> </body> </html> <!-- Performance optimized by Redis Object Cache. Learn more: https://wprediscache.com -->
根本原因是浏览器的安全策略和 iframe 的 sandbox 属性
失效的原因第一,如果攻击者的 iframe 加了 sandbox 属性比如