Safari:无法识别的Content-Security-Policy指令'frame-ancestors' [英] Safari: Unrecognized Content-Security-Policy directive 'frame-ancestors'
问题描述
我有一个应用程序siteA.com,该应用程序已加载到siteB.com中的iframe中. 没有警告直接加载siteA.com,但是当它位于siteB.com的iframe中时,会得到无法识别的Content-Security-Policy指令'frame-ancestors';仅在Safari中使用.
I have an application siteA.com that is loaded in an iframe inside siteB.com. No warning loading directly siteA.com but getting Unrecognized Content-Security-Policy directive 'frame-ancestors' when is inside an iframe in siteB.com; this only in Safari.
所有这些更改都是在siteA.com中进行的
All these changes were made in siteA.com
元标记,没有运气
<meta http-equiv="Content-Security-Policy" content="frame-ancestors siteB.com">
我应将哪些标头添加到siteA.com,以允许Content-Security-Policy指令框架祖先使用?
What headers should I add to siteA.com to allow Content-Security-Policy directive frame-ancestors?
然后我尝试在主 index.php 中添加头部:
Then I tried in the main index.php adding in the head:
header("Content-Security-Policy: frame-ancestors 'self' siteB.com;");
但仍在siteA中工作,但不在siteB中工作.
but still is working in siteA but not siteB.
还添加到 * .htaccess *
Header set Content-Security-Policy "frame-ancestors: siteB.com"
但是什么也没有. 由于Safari中的问题日益严重,因此也可以使用
but nothing. Since the problem is rising in Safari, tried also with
header("X-Frame-Options: ALLOW-FROM siteB.com");
但是这甚至会给出错误.
but this even gives an error.
令人高兴的是,如果frame-ancestors网址不正确,则它根本不会在任何其他经过测试的浏览器中加载.
The nice part is that it doesn't load at all in any of the other tested browsers if the frame-ancestors url is not the correct one.
我在做什么错了?
推荐答案
无法识别的Content-Security-Policy指令'frame-ancestors'
Unrecognized Content-Security-Policy directive 'frame-ancestors'
这是浏览器级别的错误,您无法解决.您使用的是Safari 9或更旧版本吗? Safari仅支持从
This is a browser-level error, you can't fix this. Are you using Safari 9 or older? Safari only supports frame-ancestors starting in Safari 10. The error also simply means the browser is ignoring what is, to it, an invalid directive it has no idea what to do with. It shouldn't negatively impact your site beyond what would normally occur if that directive weren't there. Not all console errors need to be acted on.
在使用诸如内容安全策略之类的内容时,某些较旧的浏览器根本无法支持所有功能.由于渐进增强的概念,您仍然应该实施它们.
When using stuff like Content Security Policy, some older browsers are simply not going to support all features. You should still implement them due to the concept of progressive enhancement.
请注意,就落后于对标准(尤其是旧版本)的支持而言,Safari基本上是新的IE.不要指望边缘提供支持,但不要因此而害怕实施新功能.与IE Safari浏览器不同的是,这些缺失的功能并没有像过去那样完全破坏网站.不仅是Safari,Firefox有时甚至早于Chrome等.
Note that Safari is frankly basically the new IE in terms of lagging behind support for standards, especially older versions. Don't expect bleeding edge support, but don't feel afraid to implement new features because of it. Unlike IE safari does catch up, and these missing features don't entirely break websites like they used to. It's not just Safari either, Firefox gets things before Chrome sometimes etc.
这篇关于Safari:无法识别的Content-Security-Policy指令'frame-ancestors'的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
