始终附加Apache X-Frame-Options SAMEORIGIN [英] Apache X-Frame-Options SAMEORIGIN is always appended
问题描述
我在两个Ubuntu 14.04.3 LTS Web服务器(一个真实"和一个VM)上运行相同的django项目. 因为该项目必须在另一个网站的iframe中运行,所以我不得不更改为X-Frame-Options.
I'm running the same django project on two Ubuntu 14.04.3 LTS webservers (one "real" and one VM). Because this project has to run in an iframe at another website, I had to change to X-Frame-Options.
在我的VM上,我只需要更改security.conf并插入
Header set X-Frame-Options: "ALLOW-FROM https://example.org"
这是HTML标头中的部分:
X-Frame-Options ALLOW-FROM https://example.org
At my VM I only had to change the security.conf and insert
Header set X-Frame-Options: "ALLOW-FROM https://example.org"
This is the part in the HTML header:
X-Frame-Options ALLOW-FROM https://example.org
在真实服务器上,我尝试使用相同的配置.但是HTML标头看起来是这样的:X-Frame-Options SAMEORIGIN ALLOW-FROM https://example.org
At the real server I tried to have the same configuration. But the HTML header looks that way: X-Frame-Options SAMEORIGIN ALLOW-FROM https://example.org
我不知道该SAMEORIGIN的位置. 您知道吗,我必须在哪里寻找该选项?如果浏览目录(和子目录)/etc/apache2中的所有conf,但一无所获.
And I don't have any idea, where this SAMEORIGIN is set. Do you know, where I have to look for this option? If looked through all confs in the directory (and subdirectories)/etc/apache2, but found nothing.
谢谢!
推荐答案
If you're using Django, it's possible that you have the Clickjacking middleware installed. Look for this in your settings.py.
MIDDLEWARE_CLASSES = [
...
'django.middleware.clickjacking.XFrameOptionsMiddleware',
...
]
这将从您的应用程序服务器发送回Apache,然后Apache将其作为传递HTTP标头发送到浏览器.
This would be sent back from your app server to Apache, and Apache would send it to the browser as a pass-through HTTP header.
这篇关于始终附加Apache X-Frame-Options SAMEORIGIN的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!