Internet Explorer的内容安全策略(CSP)解决方法 [英] Content-Security-Policy (CSP) workaround for internet explorer
问题描述
我们正在构建 ASP.NET
网站,并且只允许某些域谁可以 iFrame
我们的网站。 Internet Explorer中不支持CSP。我设置了类似于
Response.AddHeader(Content-Security-Policy,frame-ancestors mydomain1.com mydomain2.com)
。
We are building a ASP.NET
website and want to allow only some domains who can iFrame
our website. CSP is not supported in internet explorer. I am setting something like
Response.AddHeader("Content-Security-Policy", "frame-ancestors mydomain1.com mydomain2.com")
.
每个人如何处理Internet Explorer。我看过IE支持 X-Content-Security-Policy
但它没有 frame-ancestors
。
How is everyone handling for internet explorer. I read IE supports X-Content-Security-Policy
but it doesn't has frame-ancestors
.
此外,我还删除了IIS添加的默认X-Frame-Options标题
Also I am removing the default X-Frame-Options header added by IIS by doing
Response.Headers.Remove("X-Frame-Options")
推荐答案
Microsoft 如下:
- 内部,白名单domain1.com和domain2.com
- 在嵌入您的iframe网址时,请在指定来源的网址中添加参数:iframe src =http://example.org/frame.html?origin=http://domain1.com
- 在您的服务器上,检查原始值是否列入白名单。用它来设置X-Frame-Options:ALLOW-FROM http://domain1.com
- internally, whitelist domain1.com and domain2.com
- when embedding your iframe URL, add a parameter in the URL that specify the origin: iframe src="http://example.org/frame.html?origin=http://domain1.com"
- on your server, check if the origin value is whitelisted. Use it to set X-Frame-Options: ALLOW-FROM http://domain1.com
如果Referer标题存在,您也可以检查它。
You could also check the Referer header if it is present.
这篇关于Internet Explorer的内容安全策略(CSP)解决方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!