How can I disable someone from loading a page in an iframe and using javascript to submit?

https://stackoverflow.com/questions/22265326

html
JavaScript
iframe
exploit

11-06-2023
|

Вопрос

Title says it all.

Imagine this:

<!DOCTYPE html>
<html>
<head>
</head>
<body>
<iframe style="display:none" name="xxx"></iframe>
<form method='POST' action='http://MYPAGE.com/account/' target="xxx" id="xxx">
  <input type='hidden' name='xxxxxxx' value='yyyyyyyy'>
  <input type='submit' value='submit'>
</form>
<script>document.getElementById("xxx").submit()</script>
</body>

How can I disable an attack like that?

Решение

Use the X-Frame-Options and set it to DENY or SAMEORIGIN. DENY will completely deny anybody from framing the page in an iframe and SAMEORIGIN will only allow the same origin to display the page in an iframe. See https://coderwall.com/p/kdv1hw for more information.

Лицензировано под: CC-BY-SA с атрибуция

Не связан с StackOverflow