检测 X-Frame-Options [英] Detect X-Frame-Options

问题描述

有没有办法检测页面是否允许在 iframe 内加载?

Is there a way to detect whether or not a page is allowed to load within an iframe?

如果无法在 iframe 中加载 URL，我想让用户知道他们提交的 URL 在我们的网站上不起作用.

If a URL can not load within an iframe, I would like to let the user know that the URL they are submitting will not work on our site.

我试图获取内容，但没有用:

I have tried to get the contents, but that doesn't work:

$("iframe#data-url").on("load", function() {
    alert($(this).contents())
});

我真的不知道从哪里开始.

I am not really sure where to go from here.

拒绝在框架中显示https://www.facebook.com/"，因为它设置了X-Frame-选项'到'拒绝'.

Refused to display 'https://www.facebook.com/' in a frame because it set 'X-Frame-Options' to 'DENY'.

有没有办法检测X-Frame-Options?

推荐答案

因为您的脚本和目标 URL 在不同的域中，JavaScript 的跨域策略不允许您访问标头.几个月前我遇到了同样的问题，最终使用 JavaScript 向 PHP 文件发送 AJAX 请求，然后该文件可以解析标头.

Because your script and the target URL are on different domains, JavaScript's cross domain policy won't let you access the headers. I ran into the same problem a few months ago and ended up using JavaScript to send an AJAX request to a PHP file which could then parse the headers.

这是我在 PHP 文件中的内容.然后这将在 JSON 数组中返回结果.如果有帮助，请告诉我！

This is what I had in the PHP file. This would then return the result in a JSON array. Let me know if it helps!

$error=false;
$urlhere='http://facebook.com';
$ch = curl_init();

$options = array(
        CURLOPT_URL            => $urlhere,
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_HEADER         => true,
        CURLOPT_FOLLOWLOCATION => true,
        CURLOPT_ENCODING       => "",
        CURLOPT_AUTOREFERER    => true,
        CURLOPT_CONNECTTIMEOUT => 120,
        CURLOPT_TIMEOUT        => 120,
        CURLOPT_MAXREDIRS      => 10,
);
curl_setopt_array($ch, $options);
$response = curl_exec($ch);
$httpCode = curl_getinfo($ch);
$headers=substr($response, 0, $httpCode['header_size']);
if(strpos($headers, 'X-Frame-Options: deny')>-1||strpos($headers, 'X-Frame-Options: SAMEORIGIN')>-1) {
        $error=true;
}
$httpcode= curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
echo json_encode(array('httpcode'=>$httpcode, 'error'=>$error));

我知道这不是一个理想的回应，但这是我处理我的项目所能得到的.

I know it's not an ideal response but it's all I could get to work with my project.

如帐单所述，如果您更改strpos() 到 stripos() 你可能会得到更好的结果，因为它运行不区分大小写改为搜索.

As Bill stated below, if you change strpos() to stripos() you might get better results as it runs a case insensitive search instead.

这篇关于检测 X-Frame-Options的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！