始终附加Apache X-Frame-Options SAMEORIGIN [英] Apache X-Frame-Options SAMEORIGIN is always appended

问题描述

我在两个Ubuntu 14.04.3 LTS Web服务器(一个真实"和一个VM)上运行相同的django项目. 因为该项目必须在另一个网站的iframe中运行，所以我不得不更改为X-Frame-Options.

I'm running the same django project on two Ubuntu 14.04.3 LTS webservers (one "real" and one VM). Because this project has to run in an iframe at another website, I had to change to X-Frame-Options.

在我的VM上，我只需要更改security.conf并插入 Header set X-Frame-Options: "ALLOW-FROM https://example.org" 这是HTML标头中的部分: X-Frame-Options ALLOW-FROM https://example.org

At my VM I only had to change the security.conf and insert Header set X-Frame-Options: "ALLOW-FROM https://example.org" This is the part in the HTML header: X-Frame-Options ALLOW-FROM https://example.org

在真实服务器上，我尝试使用相同的配置.但是HTML标头看起来是这样的:X-Frame-Options SAMEORIGIN ALLOW-FROM https://example.org

At the real server I tried to have the same configuration. But the HTML header looks that way: X-Frame-Options SAMEORIGIN ALLOW-FROM https://example.org

我不知道该SAMEORIGIN的位置. 您知道吗，我必须在哪里寻找该选项?如果浏览目录(和子目录)/etc/apache2中的所有conf，但一无所获.

And I don't have any idea, where this SAMEORIGIN is set. Do you know, where I have to look for this option? If looked through all confs in the directory (and subdirectories)/etc/apache2, but found nothing.

谢谢！

推荐答案

如果您使用的是Django，则可能有

If you're using Django, it's possible that you have the Clickjacking middleware installed. Look for this in your settings.py.

MIDDLEWARE_CLASSES = [
    ...
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
    ...
]

这将从您的应用程序服务器发送回Apache，然后Apache将其作为传递HTTP标头发送到浏览器.

This would be sent back from your app server to Apache, and Apache would send it to the browser as a pass-through HTTP header.

这篇关于始终附加Apache X-Frame-Options SAMEORIGIN的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！