“无法在框架中查看此内容".第一次加载页面时出错 [英] "this content cannot be viewed in a frame" error the first time I load the page
问题描述
我已经开发了一个搜索表,该表托管在我公司的本地服务器(iis,网络核心网站)中.该网站是位于公司内另一台服务器(apache,wamp)中的Wordpress.两者都有不同的公共IP,但都托管在同一域的子域下.
I have developed a search form which is hosted in a local server (iis, net core web site) in my company. The web site is a Wordpress hosted in another server (apache, wamp), also in the company. Both has different public IPs, but both are hosted under subdomains of the same domain.
例如wordpress.company.com和search.company.com,我可以同时控制两者.
say, wordpress.company.com and search.company.com, and I have control over both.
我第一次使用iframe插件进行测试时,似乎一切正常,但是我现在意识到,Edge中显示了此错误.在所有浏览器上都显示相同的行为,但没有显示类似的消息.
first time I tested using iframe plugin, everything seem to work ok, however I realized now, there is this error shown in Edge. Same behavior is shown on all browsers yet no similar messages are shown.
此内容无法显示在框架中
这里应该有一些内容,但是发布者没有 允许将其显示在框架中.这是为了帮助保护 您可能会输入此网站的任何信息的安全性.
There is supposed to be some content here, but the publisher doesn’t allow it to be displayed in a frame. This is to help protect the security of any information you might enter into this site.
尝试一下
在新窗口中打开它(这是指向iframe内容网址的链接)
Open this in a new window (which is a link to iframes content url)
奇怪的是,我只需要按F5即可正确加载所有内容.
The weird thing is I just have to press F5 and everything loads correctly.
Chrome控制台中的错误是:
The error in the Chrome console is:
拒绝在框架中显示" http://subdomain.mysite.com/',因为 它将"X-Frame-Options"设置为"sameorigin".
Refused to display 'http://subdomain.mysite.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
如何解决此问题?
推荐答案
The problem is similar to one described here but because of .net Core. And the solution is also similar.
您也可以在问题的注释中使用@ user770完成的建议.但是,这不能解决iframe块.而且这个答案都不能解释为什么刷新页面可以解决该问题.但是,对于用户而言,这不是很好的体验.
You can also use the recommendations done by @user770 in the comments of the question. However, that does not solve the iframe block. And neither this answer explains why refreshing the page solved the issue. However, that is not a good experience for users.
因此,该解决方案很容易,并且可以通过代码完成,这样,如果有人尝试覆盖服务器中的X-Frame-Otions settign,oyu就会更加安全.任何倍数设置都将衍生为拒绝".
So, the solution is easy, and can be done by code, that way oyu are more secure if any one tries to overwrite the X-Frame-Otions settign in your server. Any multiple setting will derive in 'deny'.
在项目的startup.cs文件中,您必须添加此文件,以防止.net core自动添加"sameorigin"设置.
In the startup.cs file on your project you have to add this, for preventing .net core to add 'sameorigin' setting automatically.
public void ConfigureServices(IServiceCollection services)
{
//YOU CAN HAVE SOME CODE HERE
services.AddAntiforgery(o => o.SuppressXFrameOptionsHeader = true);
}
但是,这可能会在您的站点中造成风险,并且当您同时控制两个站点和两个域时,可以应用此方案.
However, this may lead to risk in your site, and this scenario is intended to be applied when you have control on both sites and both domains.
要保护站点安全,您必须设置X-frame-options设置以允许您需要的域.再次在startup.cs中执行以下操作.
To secure the site, you have to set X-frame-options setting to allow the domain you want. Again in startup.cs do the following.
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
//YOU MAY HAVE SOME CODE HERE
app.Use(async (context, next) =>
{
context.Response.Headers.Add("X-Frame-Options", "ALLOW-FROM http://*.MYCONTROLLEDDOMAIN.COM https://*.MYCONTROLLEDDOMAIN.COM");
await next();
});
}
这样,您将允许您的域在iframe中请求此网站.
That way you will allow your domain to request this website within an iframe.
这篇关于“无法在框架中查看此内容".第一次加载页面时出错的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
