javascript - How to crack top.location.href =window.location.href and embed other people's web pages through iframe?

Question

Like the title, it may not be clear enough.
There is a demand at hand. The product manager said: "Xiao Hu, our product needs to add a new function, which is to be able to display well-written H5 pages, or provide web page display to users, such as displaying such-and-such news. Website"
I think, since I want to do such a rogue thing, I have used iframe to embed third-party pages in the past, so I might as well use this, and I haven't found any other methods.
Then the problem arises. For example, if a news website embeds it, it becomes the main focus of the website and directly kills my html page! After unremitting efforts, it was discovered that the webpage had an "anti-operator hijacking code"; the code is as follows:

<!-- 反运营商劫持 S -->
<style type="text/css">
    html {
        display:none;
    }
    </style>
<script>
    if( self == top ) {
        document.documentElement.style.display = 'block' ;
    } else {
        top.location = self.location ;
    }
    </script>
<!-- 反运营商劫持 E -->

Can anyone help me crack it?

The following methods have been used:

//在主窗口的</head>标签前面添加 
<script type="text/javascript"> 
var location=document.location 
</script>
//或者: 
<script type="text/javascript">
var location="" 
</script>

However, there are no eggs. . .

Answer 1

What the respondent on the first floor said is absolutely true;
The current solution is to disable jumps through the "sandbox attribute" sandbox of ifram;
All mainstream browsers support the sandbox attribute. However, IE 9 and earlier versions do not support the sandbox attribute , and Opera 12 and earlier versions also do not support this attribute .
If you want to be compatible with IE8 and below, please ignore the answer! ! !
iframe’s sandbox attributes and values:

If you don’t set allow-top-navigation, you won’t be forced to jump! ! !
Of course, you will find that the page content is not displayed but does not jump. Taking xw.qq.com as an example, you will find that it is because the html in the iframe is set to "display:none";

  //以下代码在已webview形式嵌套到android中的html页面有效
  $(window.frames["iframe的id"].document).find("html").css('display', 'block') //基于jQuery

The antidote has not been found on the PC yet
The error is reported across domains! !

Normal interface (front-end page in android webview):

Code (self-debugging, pc bypass! ):
var iframe = document.createElement("iframe");

    iframe.id = "iframeId";
    iframe.src = "xw.qq.com";
    iframe.style.width = "100%";
    iframe.style.height = "100%";
    iframe.sandbox = "allow-scripts allow-same-origin";
    iframe.frameborder = "0";
    iframe.scrolling = "no";
    iframe.marginwidth = "0";
    iframe.marginheight = "0";
    iframe.border = "0";
       if (! /*@cc_on!@*/ 0) { //浏览器 不是IE的情况下
        iframe.onload = function () {
            console.log("已经加载完成！/no IE");
            $(window.frames["iframeId"].document).find("html").css('display', 'block');
        };
    } else {
        iframe.onreadystatechange = function () {
            if (iframe.readyState == "complete") {
                console.log("已经加载完成！/ IE");
                $(window.frames["iframeId"].document).find("html").css('display', 'block');
            }
        };
    }
    $this.appDom.html(iframe);
    

Answer 2

http://www.w3school.com.cn/tags/att_iframe_sandbox.asp
这个怎么样？阻止操作包含的。但是不阻止执行脚本。
或者你就别用iframe了。你就放一个截图。然后想看的时候a标签跳转呗