无法在iframe中访问WordPress信息中心 [英] Can't access WordPress Dashboard in an iframe

问题描述

我在 http://foo.example.com 上有一个iframe，目标是 http://bar.example.com 。

I have an iframe on http://foo.example.com which targets to http://bar.example.com.

On http://bar.example.com 是一个WordPress安装。我能够查看页面并点击所有页面并发布但当我尝试进入后端时我得到了

On http://bar.example.com is a WordPress installation. I'm able to view the page and click on all pages and post but when I try to go to the backend I get

Refused to display document because display forbidden by X-Frame-Options.

并且请求已中止。

根据这个问题，我找到了这个成功发送的标题：

According to this question I aded this header which gets send successfully:

header('X-Frame-Options: GOFORIT');

还有什么可以限制只访问仪表板（和登录界面）？

What else can limit the access to just the dashboard (and the login screen)?

我可以访问这两个子域，也可以使用htaccess

I have access to both subdomains and can use a htaccess as well

推荐答案

根据对此，在WordPress的答案中，接收此内容无法在框架中显示登录页面上的错误，WordPress发送特殊标题

According to this, in WordPress Answers, Receiving "This content cannot be displayed in a frame" error on login page, WordPress sends a special header

X-Frame-Options: SAMEORIGIN

阻止点击劫持。因此，将管理员嵌入为iframe。

that prevents clickjacking. And hence, embedding the admin as an iframe.

可以从 wp-includes / default-中删除此标题，删除一些操作。 filters.php ，但风险自负。

It is possible to eliminate this header removing a couple of actions from wp-includes/default-filters.php, but at your own risk.

有人可能会注册一个名称非常相似的域名，将您的登录名作为后台iframe嵌入，并在您尝试键入时记录登录凭据in。

Someone might register a domain with a very similar name, embed your login as background iframe and log the login credentials when you try to type them in.

请阅读WPSE的完整问答。

这篇关于无法在iframe中访问WordPress信息中心的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！