更新时间:2023-12-05 22:24:04
恐怕您没有任何其他选择,无论如何插入iframe。要破解iframe***,您可以采用以下技术: 如果frame buster使用类似于/ b 然后通过设置
X- Frames-Option:DENY
,只需使用 webRequest
API删除标题 - 参见浏览Chrome扩展中的X-Frame-Options DENY?。
if(top!== self){
top.location.href = location.href;
} sandbox
属性:
var frame = document.createElement('iframe');
frame.sandbox ='allow-scripts';
frame.src ='data:text / html,< script>'+
'if(top!== self){top.location.href = location.href;}'+
'alert((运行其余代码));'+
'< / script>';
document.body.appendChild(frame);
导航将被阻止,不会引发任何错误。但是,以下消息会记录到控制台:
不安全的JavaScript尝试启动带有URL的框架的导航(...页面...)'从URL'(...的框架URL)'。尝试顶层窗口导航的框架已经过沙盒处理,但'allow-top-navigation'标志没有设置。
>
这些方法始终有效,除非:
< meta http-equiv =X-Frame-Optionscontent =deny>
。 if(top === self){/ * run code * /}
在这些情况下,除了打开新选项卡,阅读其内容,然后关闭它之外,没有别的选择。请参阅 chrome.tabs.create
和 chrome.tabs.remove
。
Is there a way to load a page, hidden from the user?
I can't use an iframe
in a background page, because the page has frame-busting techniques.
I can't use an XHR, because the page has AJAX - I need its (dynamically generated) DOM.
I'm afraid that you don't have any other option than inserting the iframe anyway. To bust the iframe buster, you can employ the following techniques:
X-Frames-Option: DENY
, just remove the header using the webRequest
API - see Getting around X-Frame-Options DENY in a Chrome extension?.If the frame buster uses something like
if (top !== self) {
top.location.href = location.href;
}
Then block the scripted navigation by set the sandbox
attribute on the iframe:
var frame = document.createElement('iframe');
frame.sandbox = 'allow-scripts';
frame.src = 'data:text/html,<script>' +
'if (top !== self) { top.location.href = location.href;}' +
'alert(" (runs the rest of the code) ");' +
'</script>';
document.body.appendChild(frame);
Navigation will be blocked without throwing any errors. The following message is logged to the console though:
Unsafe JavaScript attempt to initiate navigation for frame with URL '(...URL of top page...)' from frame with URL '(....URL of frame..)'. The frame attempting navigation of the top-level window is sandboxed, but the 'allow-top-navigation' flag is not set.
These methods will always work, unless:
<meta http-equiv="X-Frame-Options" content="deny">
.if (top === self) { /* run code*/ }
In these cases, you have no other option than opening a new tab, read its content, then close it. See chrome.tabs.create
and chrome.tabs.remove
.