谷歌的Doubleclick响应中的'X-Frame-Options'标头无效 [英] Invalid 'X-Frame-Options' header from google's Doubleclick response
问题描述
我们使用Google的doubleclick通过IFrame中的Floodlight代码跟踪用户信息,但最近该响应导致Chrome开发工具出现错误:
无效加载' http: //123.fls.doubleclick.net/activityi;src=123;type=123;cat=123;ord=123 ':'ALLOWALL'不是公认的指令。标题将被忽略。
以下是关于此事的博客文章: http: //ipsec.pl/node/1094
最近增加了ALLOWALL,允许任何网站使用代码作为src(类似于根本不包括这个选项),并且双击在他们的回应中包含这个选项。在IE,Firefox和Chrome中,Chrome是唯一引发错误的浏览器。这是否意味着Google在双击中使用的选项在自己的浏览器中不起作用?很难想象Google团队不会在Chrome中进行测试。
在我看来,如果标题被忽略,并且标题与不包含任何标题的效果相同使用X-Frame-Options跨站点限制,错误不会影响任何内容。此外,由于错误发生在响应中,跟原始请求一起完成的跟踪应该没问题,对不对?
解决方案 此问题已作为错误报告提交:
错误110857 - X-Frame-Options应该接受ALLOWALL作为一个有效值并且
已被解决,并且修复程序位于WebKit的主要分支中,一旦Chrome使用最新的WebKit引擎,消息就会消失。
有关更多信息,请参阅: Webkit Changeset 144105 < a>
We use doubleclick from Google to track user information with a floodlight tag in an IFrame, but recently the response is causing an error in the Chrome dev tools:
Invalid 'X-Frame-Options' header encountered when loading 'http://123.fls.doubleclick.net/activityi;src=123;type=123;cat=123;ord=123': 'ALLOWALL' is not a recognized directive. The header will be ignored.
Here is a blog post on the matter: http://ipsec.pl/node/1094
It looks like ALLOWALL has recently been added to allow any site to use the code as a src (similar to not including that option at all) and doubleclick is including this option in their response. Out of IE, Firefox and Chrome, Chrome is the only browser that throws the error. Does that mean that Google is using an option in doubleclick that doesn't work in their own browser? It's hard to imagine a Google team not testing in Chrome.
It seems to me that if the header is being ignored, and the header has the same effect as not including any cross site restrictions with X-Frame-Options, the error will not affect anything. Also, since the error occurs on the response, the tracking that is done with the original request should be fine, right?
The issue was filed as a bug report:
Bug 110857 - X-Frame-Options should accept ALLOWALL as a valid value
and
has been addressed and the fix is in the main branch of WebKit, once the latest WebKit engine is in use by Chrome, the messages will disappear.
for more information see: Webkit Changeset 144105
这篇关于谷歌的Doubleclick响应中的'X-Frame-Options'标头无效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
