点击劫持保护¶

点击劫持的一个例子¶

Suppose an online store has a page where a logged-in user can click "Buy Now" to purchase an item. A user has chosen to stay logged into the store all the time for convenience. An attacker site might create an "I Like Ponies" button on one of their own pages, and load the store's page in a transparent iframe such that the "Buy Now" button is invisibly overlaid on the "I Like Ponies" button. If the user visits the attacker's site, clicking "I Like Ponies" will cause an inadvertent click on the "Buy Now" button and an unknowing purchase of the item.

防止点击劫持¶

现代浏览器尊重 X-Frame-Options HTTP 头，它表明是否允许在框架或 iframe 中加载资源。如果响应包含值为 SAMEORIGIN 的头，那么只有当请求来自同一个网站时，浏览器才会在框架中加载资源。如果头被设置为 DENY，那么无论请求是由哪个网站发出的，浏览器都会阻止资源在框架中加载。

Django 提供了一些方法来在你的网站的响应中包含这个头：

1. 一个在所有响应中设置头的中间件。

2. 一组可用于覆盖中间件或仅为某些视图设置头的视图装饰器。

X-Frame-Options HTTP 头只有在响应中还没有出现的情况下，才会被中间件或视图装饰者设置。

如何使用它¶

MIDDLEWARE = [
    ...,
    "django.middleware.clickjacking.XFrameOptionsMiddleware",
    ...,
]

X_FRAME_OPTIONS = "SAMEORIGIN"

from django.http import HttpResponse
from django.views.decorators.clickjacking import xframe_options_exempt


@xframe_options_exempt
def ok_to_load_in_a_frame(request):
    return HttpResponse("This page is safe to load in a frame on any site.")

from django.http import HttpResponse
from django.views.decorators.clickjacking import xframe_options_deny
from django.views.decorators.clickjacking import xframe_options_sameorigin


@xframe_options_deny
def view_one(request):
    return HttpResponse("I won't display in any frame!")


@xframe_options_sameorigin
def view_two(request):
    return HttpResponse("Display in a frame if it's from the same origin as me.")

限制¶

X-Frame-Options 头部仅能在 现代浏览器 中防止点击劫持。