如何仅将iframe嵌入白名单网站? [英] How to allow iframe embedding only for whitelisted websites?
问题描述
我有一个要嵌入到我的白名单中的网站中的表格.
I've a form that I'd like to embed in a website, which is on my whitelist.
其他尝试嵌入该网站的网站应该只会显示错误页面.
Other websites, that try to embed it, should get only an error page.
<iframe src="https://domain.tld/getForm.php?embed=1&formId=123456"></iframe>
我希望我可以使用getForm.php
中的$_SERVER['HTTP_REFERER']
来检查嵌入网站,但无法正常工作.
I was hoping that I could use $_SERVER['HTTP_REFERER']
in getForm.php
to check the embeding website, but it's not working.
有人知道最佳实践或任何解决方法吗?
Does anyone know a best practise or any workaround?
提前谢谢!
推荐答案
大多数浏览器将支持X-Frame-Options标头.
Most browsers will support the X-Frame-Options header.
此标头将阻止访问:
X-Frame-Options: SAMEORIGIN
此标头允许访问:
X-Frame-Options: ALLOW-FROM [uri]
选项示例:
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM https://example.com/
PHP中的示例:
<?php header('X-Frame-Options: SAMEORIGIN'); ?>
您可以在此处进一步阅读: https://developer.mozilla.org/en -US/docs/Web/HTTP/Headers/X-Frame-Options
You can read further here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
希望这会有所帮助!
这篇关于如何仅将iframe嵌入白名单网站?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!