CSP 防点击劫持：frame-ancestors 与嵌入治理

52 阅读 0 评论 0 点赞

概述

点击劫持通过隐藏/半透明 iframe 诱导用户误点。Content-Security-Policy: frame-ancestors 指定允许嵌入当前页面的来源，现代方案优于过时的 X-Frame-Options，并支持更灵活的来源匹配与子域控制。

用法与示例

禁止任何嵌入 Content-Security-Policy: frame-ancestors 'none' 仅允许同源与特定父站 Content-Security-Policy: frame-ancestors 'self' https://partner.example 迁移建议：移除 X-Frame-Options，统一使用 CSP frame-ancestors

验证与检测

使用浏览器开发者工具与报表端点（report-to/report-uri）观察被拒绝的嵌入尝试。

在受控测试页通过 </code> 进行验证。</li></p> <p></ul></p> <p><p>工程建议</p></p> <p><ul></p> <p><li>最小权限：默认 <code>none</code> 或仅允许可信父页面；避免通配过度放宽。</li></p> <p><li>与 SSO/后台协作：在确需嵌入的业务场景列出白名单并定期审查。</li></p> <p><li>监控：逐步灰度收紧策略，记录影响并修复。</li></p> <p></ul></p> <p><p>参考与验证</p></p> <p><ul></p> <p><li>MDN CSP frame-ancestors 文档：https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors</li></p> <p><li>web.dev CSP 指南：https://web.dev/articles/csp</li></p> <p><li>OWASP 点击劫持防护建议：https://owasp.org/www-community/attacks/Clickjacking</li></p> <p></ul></p> </p>  </div>    <div class="article-donate"> <a href="javascript:" class="btn btn-primary btn-like btn-lg" data-action="vote" data-type="like" data-id="1417" data-tag="archives"><i class="fa fa-thumbs-up"></i> 点赞(<span>0</span>)</a> <a href="javascript:" class="btn btn-outline-primary btn-donate btn-lg" data-action="donate" data-id="1417" data-image="/uploads/20260429/4e48f2622b6c6f605d739f326d8958c2.png"><i class="fa fa-cny"></i> 打赏</a> </div>   <div class="social-share text-center mt-2 mb-1" data-initialized="true" data-mode="prepend" data-image=""> <a href="javascript:" class="social-share-icon icon-heart addbookbark" data-type="archives" data-aid="1417" data-action="/addons/cms/ajax/collection"></a> <a href="#" class="social-share-icon icon-weibo" target="_blank"></a> <a href="#" class="social-share-icon icon-qq" target="_blank"></a> <a href="#" class="social-share-icon icon-qzone" target="_blank"></a> <a href="javascript:" class="social-share-icon icon-wechat"></a> </div>  <div class="entry-meta"> <ul>  <li>本文分类：<a href="/security.html">网络安全</a></li> <li>本文标签：无</li> <li>浏览次数：<span>52</span> 次浏览</li> <li>发布日期：2026-04-30 13:42:22</li> <li>本文链接：<a href="https://ybb.press/security/1417.html">https://ybb.press/security/1417.html</a></li>  </ul> <ul class="article-prevnext">  <li> <span>上一篇 ></span> <a href="/security/1416.html">CSP 报告端点与违规检测平台（2025）</a> </li> <li> <span>下一篇 ></span> <a href="/security/1418.html">CSP与SRI前端资源安全策略实践</a> </li>  </ul> </div> <div class="related-article"> <div class="row">  <div class="col-sm-3 col-xs-6"> <a href="/api-development/2232.html" class="img-zoom"> <div class="embed-responsive embed-responsive-4by3"> <img src="" alt="Popover API 实战：锚定弹出层的无障碍与性能" class="embed-responsive-item"> </div> </a> <h5 class="text-center"><a href="/api-development/2232.html">Popover API 实战：锚定弹出层的无障碍与性能</a></h5> </div> <div class="col-sm-3 col-xs-6"> <a href="/api-development/2231.html" class="img-zoom"> <div class="embed-responsive embed-responsive-4by3"> <img src="" alt="Popover API 原生弹层：无框架交互与可访问性" class="embed-responsive-item"> </div> </a> <h5 class="text-center"><a href="/api-development/2231.html">Popover API 原生弹层：无框架交互与可访问性</a></h5> </div> <div class="col-sm-3 col-xs-6"> <a href="/api-development/2221.html" class="img-zoom"> <div class="embed-responsive embed-responsive-4by3"> <img src="" alt="Payment Request API 实战：支付流程与兼容回退" class="embed-responsive-item"> </div> </a> <h5 class="text-center"><a href="/api-development/2221.html">Payment Request API 实战：支付流程与兼容回退</a></h5> </div> <div class="col-sm-3 col-xs-6"> <a href="/api-development/2211.html" class="img-zoom"> <div class="embed-responsive embed-responsive-4by3"> <img src="" alt="OpenTelemetry 全栈可观测性落地指南（2025）" class="embed-responsive-item"> </div> </a> <h5 class="text-center"><a href="/api-development/2211.html">OpenTelemetry 全栈可观测性落地指南（2025）</a></h5> </div>  </div> </div> <div class="clearfix"></div> </div> </div> <div class="panel panel-default" id="comments"> <div class="panel-heading"> <h3 class="panel-title">评论列表 <small>共有 <span>0</span> 条评论</small> </h3> </div> <div class="panel-body"> <div id="comment-container">  <div id="commentlist"> <div class="loadmore loadmore-line loadmore-nodata"><span class="loadmore-tips">暂无评论</span></div> </div>   <div id="commentpager" class="text-center"> </div>   <div id="postcomment"> <h3>发表评论 <a href="javascript:;"> <small>取消回复</small> </a></h3> <form action="/addons/cms/comment/post" method="post" id="postform"> <input type="hidden" name="__token__" value="321297809148acc418fb997f9444bfae" /> <input type="hidden" name="type" value="archives"/> <input type="hidden" name="aid" value="1417"/> <input type="hidden" name="pid" id="pid" value="0"/> <div class="form-group"> <textarea name="content" class="form-control" disabled placeholder="请登录后再发表评论" id="commentcontent" cols="6" rows="5" tabindex="4"></textarea> </div> <div class="form-group"> <a href="/index/user/login" class="btn btn-primary">登录</a> <a href="/index/user/register" class="btn btn-outline-primary">注册新账号</a> </div> </form> </div>  </div> </div> </div> </main> <aside class="col-xs-12 col-md-4">   <div class="panel panel-blockimg"> </div>  <div class="panel panel-default hot-article"> <div class="panel-heading"> <h3 class="panel-title">推荐资讯</h3> </div> <div class="panel-body"> <div class="media media-number"> <div class="media-left"> <span class="num tag">1</span> </div> <div class="media-body"> <a class="link-dark" href="/cloud-native/1203.html" title="103 Early Hints 与 Preload：关键资源提速实践">103 Early Hints 与 Preload：关键资源提速实践</a> </div> </div> <div class="media media-number"> <div class="media-left"> <span class="num tag">2</span> </div> <div class="media-body"> <a class="link-dark" href="/network-tech/1204.html" title="103 Early Hints 与 Preload：替代 Server Push 的实践">103 Early Hints 与 Preload：替代 Server Push 的实践</a> </div> </div> <div class="media media-number"> <div class="media-left"> <span class="num tag">3</span> </div> <div class="media-body"> <a class="link-dark" href="/machine-learning/1270.html" title="ARIA Live Regions：动态内容通告与无障碍实践">ARIA Live Regions：动态内容通告与无障碍实践</a> </div> </div> <div class="media media-number"> <div class="media-left"> <span class="num tag">4</span> </div> <div class="media-body"> <a class="link-dark" href="/cloud-native/1272.html" title="AWS Lambda SnapStart 与冷启动优化（2025）">AWS Lambda SnapStart 与冷启动优化（2025）</a> </div> </div> <div class="media media-number"> <div class="media-left"> <span class="num tag">5</span> </div> <div class="media-body"> <a class="link-dark" href="/frontend-frameworks/1286.html" title="Angular 18 稳定版解读：Zoneless 与信号驱动变更检测">Angular 18 稳定版解读：Zoneless 与信号驱动变更检测</a> </div> </div> <div class="media media-number"> <div class="media-left"> <span class="num tag">6</span> </div> <div class="media-body"> <a class="link-dark" href="/frontend-frameworks/1291.html" title="Ant Design 对 React 19 的兼容方案">Ant Design 对 React 19 的兼容方案</a> </div> </div> <div class="media media-number"> <div class="media-left"> <span class="num tag">7</span> </div> <div class="media-body"> <a class="link-dark" href="/machine-learning/1298.html" title="Apache Flink 检查点与保存点实践">Apache Flink 检查点与保存点实践</a> </div> </div> <div class="media media-number"> <div class="media-left"> <span class="num tag">8</span> </div> <div class="media-body"> <a class="link-dark" href="/network-tech/1318.html" title="App跳转小程序支付">App跳转小程序支付</a> </div> </div> <div class="media media-number"> <div class="media-left"> <span class="num tag">9</span> </div> <div class="media-body"> <a class="link-dark" href="/cloud-native/1331.html" title="Artifact Registry跨云来源治理（GCR-ECR-ACR-白名单）最佳实践">Artifact Registry跨云来源治理（GCR-ECR-ACR-白名单）最佳实践</a> </div> </div> <div class="media media-number"> <div class="media-left"> <span class="num tag">10</span> </div> <div class="media-body"> <a class="link-dark" href="/machine-learning/1337.html" title="Audio 输出设备选择：HTMLMediaElement.setSinkId">Audio 输出设备选择：HTMLMediaElement.setSinkId</a> </div> </div> </div> </div>  <div class="panel panel-blockimg"> </div>  <div class="panel panel-default hot-tags"> <div class="panel-heading"> <h3 class="panel-title">热门标签</h3> </div> <div class="panel-body"> <div class="tags"> </div> </div> </div>   <div class="panel panel-default recommend-article"> <div class="panel-heading"> <h3 class="panel-title">推荐下载</h3> </div> <div class="panel-body"> </div> </div>  <div class="panel panel-blockimg"> </div> </aside> </div> </div> </main> <footer> <div id="footer"> <div class="container"> <div class="row footer-inner"> <div class="col-xs-12"> <div class="footer-logo pull-left mr-4"> <a href="/"><i class="fa fa-bookmark"></i></a> </div> <div class="pull-left"> Copyright © 2026 All rights reserved. 叶斌兵 <ul class="list-unstyled list-inline mt-2"> <li><a href="/p/aboutus">关于我们</a></li> <li><a href="/p/agreement">用户协议</a></li> <li><a href="/index/user/index">会员中心</a></li> </ul> </div> </div> </div> </div> </div> </footer> <div id="floatbtn">  <a class="hover" href="/index/cms.archives/post" target="_blank"> <i class="iconfont icon-pencil"></i> <em>立即<br>投稿</em> </a> <div class="floatbtn-item floatbtn-share"> <i class="iconfont icon-share"></i> <div class="floatbtn-wrapper" style="height:50px;top:0"> <div class="social-share" data-initialized="true" data-mode="prepend"> <a href="#" class="social-share-icon icon-weibo" target="_blank"></a> <a href="#" class="social-share-icon icon-qq" target="_blank"></a> <a href="#" class="social-share-icon icon-qzone" target="_blank"></a> <a href="#" class="social-share-icon icon-wechat"></a> </div> </div> </div> <a href="javascript:;"> <i class="iconfont icon-qrcode"></i> <div class="floatbtn-wrapper"> <div class="qrcode"><img src="/uploads/20260429/39f1feff0842a8e7fed2b1ca973ccc3a.jpg"></div> <p>微信公众账号</p> <p>微信扫一扫加关注</p> </div> </a> <a id="feedback" class="hover" href="#comments"> <i class="iconfont icon-feedback"></i> <em>发表<br>评论</em> </a> <a id="back-to-top" class="hover" href="javascript:;"> <i class="iconfont icon-backtotop"></i> <em>返回<br>顶部</em> </a>  </div> <script type="text/javascript" src="/assets/libs/jquery/dist/jquery.min.js?v=1.0.43"></script> <script type="text/javascript" src="/assets/libs/bootstrap/dist/js/bootstrap.min.js?v=1.0.43"></script> <script type="text/javascript" src="/assets/libs/fastadmin-layer/dist/layer.js?v=1.0.43"></script> <script type="text/javascript" src="/assets/libs/art-template/dist/template-native.js?v=1.0.43"></script> <script type="text/javascript" src="/assets/addons/cms/js/jquery.autocomplete.js?v=1.0.43"></script> <script type="text/javascript" src="/assets/addons/cms/js/swiper.min.js?v=1.0.43"></script> <script type="text/javascript" src="/assets/addons/cms/js/share.min.js?v=1.0.43"></script> <script type="text/javascript" src="/assets/addons/cms/js/cms.js?v=1.0.43"></script> <script type="text/javascript" src="/assets/addons/cms/js/common.js?v=1.0.43"></script> <script type="text/javascript" src="/assets/js/image-error-handler.js?v=1.0.43"></script> <script> // 初始化图片错误处理 $(document).ready(function(){ if (typeof ImageErrorHandler !== 'undefined') { ImageErrorHandler.init(); } }); </script>  <script type="text/javascript" src="/assets/addons/fastchat/js/fastchat.js?v=1.0.43"></script> <link rel="stylesheet" href="/assets/addons/fastchat/css/fastchat.css"> <script> // 初始化FastChat聊天插件 $(document).ready(function(){ if (typeof FastChat !== 'undefined') { // 使用当前域名，通过 Nginx /wss 反向代理连接 var currentHost = window.location.hostname; FastChat.initialize(currentHost, 'index'); } else { console.warn('FastChat未加载，请检查文件路径是否正确'); } }); </script> </body> </html>