# iframe注入

## 概述

[`<iframe>`](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe) 标签用于将HTML文档嵌入到另一个HTML文档中。如果插入文档的源位于另一个源，同源策略将阻止它们双方访问另一个文档的内容。

## 开放重定向

子文档可以查看和设置父文档的 location 属性，即使是跨域的 `top.window.location`。

例如，如果 `vulnerable-website.com` 包含以下 `iframe`：

```html
<iframe src=//malicious-website.com/toplevel.html></iframe>
```

其中 `https://malicious-website.com/toplevel.html` 是：

```html
<html><head></head><body><script>top.window.location = "https://malicious-website.com/pwned.html"</script></body></html>
```

当 `iframe` 加载时，父文档将被重定向到 `https://malware-website.com/pwned.html` 页面，即使子文档是从不同的源加载的。在这种情况下，同源策略将被绕过，因为 `iframe` 没有被"沙盒化"，请查看 [sandbox](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe) iframe 属性。

参考资料：

* [`<meta>` 和 `<iframe>` 标签链接到SSRF](https://medium.com/@know.0nix/hunting-good-bugs-with-only-html-d8fd40d17b38)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gitbook.cdxiaodong.life/web-ying-yong-an-quan/html-zhu-ru/iframe.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.