Windows Azure iframe域提供程序= X-Frame-Options问题 [英] Windows Azure iframe domain provider = issue with X-Frame-Options
问题描述
我的自定义域名有问题.我的域名提供商将重定向网站放在iframe中.
I have a problem with my custom domain name. My domain provider put the redirect website inside the iframe.
<HTML><HEAD><TITLE></TITLE></HEAD>
<FRAMESET ROWS="*"><FRAME NAME=997 NORESIZE SRC="xxx. azurewebsites .net/">
<NOFRAMES><BODY><A HREF="xxx. azurewebsites .net/">click here</A></BODY></NOFRAMES> </FRAMESET></HTML>
当前,我正在使用azurewebsites托管,并且当我通过自定义域访问我的网站时,除家庭控制器外,我无法执行任何操作.
Currently I am using azurewebsites hosting and when I access my website by my custom domain I can not use any of action apart from home controller.
问题出在x-frame-options标头中,例如:
The problem is in with x-frame-options header such as:
拒绝在框架中显示",因为它将"X-Frame-Options"设置为"SAMEORIGIN".
Refused to display '' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
这种行为是否有解决方法?还是我的域名提供商的问题?
Is there any sollutions for such behaviour? Or it is the problem of my domain provider?
最诚挚的问候.
推荐答案
我花了几天时间(对我来说是很多时间)来解决此问题,但最终我找到了一些解决方法.
I spend a couple days (realy lot of time for me) to resolve this issue, but finally I found some workaround.
说实话,我已经阅读了很多有关x帧问题及其属性(Deny,SameOrigin,AllowsAll,AllowsFor等)的文章,但我还没有找到解决此问题的可靠方法.我当然理解点击劫持和跨站点问题,但是,我知道我的建议并不完全正确和安全,因为它删除了请求中标头的值.
To be honest I have read a lot of articles about x-frame-problem, its atributes (Deny, SameOrigin, AllowsAll, AllowsFor, etc.) and I haven't found any reliable sollution for such issue. I do understend the problem of clickjacking and cross site issues of course, however, I am aware that my propoistion is not fully proper and secure, because its remove the value of header from the request.
就这样了,在Global.asax.cs中:
So this is it, in Global.asax.cs:
namespace xxxx
{
public class MvcApplication : HttpApplication
{
protected void Application_Start()
{
AreaRegistration.RegisterAllAreas();
FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
RouteConfig.RegisterRoutes(RouteTable.Routes);
BundleConfig.RegisterBundles(BundleTable.Bundles);
}
private void Application_EndRequest(object sender, EventArgs e)
{
Response.Headers["X-FRAME-OPTIONS"] = string.Empty;
}
}
}
总而言之,我必须承认以下几点:
To sum up I have to admit couple of things:
Chrome浏览器不支持AllowFor属性,也不支持AllowAll.它只了解Deny和SameOrigin属性,而Internet Explorer处理AllowAll属性.FireFox的行为类似于Chrome.
Chrome browser does not support AllowFor atribute neither AllowAll. It understands only Deny and SameOrigin atribute, in the other hand Internet Explorer deal with AllowAll atribute. FireFox behaves similar to Chrome.
IIS或Windows Azure主机也自动添加此标头以使用SameOrigin属性进行响应.(与Somme.com主机相同).
Also IIS or Windows Azure hosts adds automaticly this header to response with SameOrigin atribute. (the same as Somme.com host).
在我的情况下(以及我注意到的其他人http://www.windows- azure.net/x-frame-options-header-is-not-changing-in-azure-web-role/)唯一的解决方案是从x-frame-options标头中退出.尽管在我看来,网络浏览器至少应支持AllowFor atribute来解决此问题.
In such case as mine (and other people as I noticed http:// www. windows- azure.net /x-frame-options-header-is-not-changing-in-azure-web-role/ ) the only solution is to resign from x-frame-options header. Although it seems to me that webbrowsers should at least support AllowFor atribute to overcome such issue.
感谢和问候!
Grzegorz
这篇关于Windows Azure iframe域提供程序= X-Frame-Options问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
