如果使用外部URL，则无法在JSF中呈现iFrame [英] IFrame not rendered in JSF if using external URL

问题描述

当我在引用外部网页的JSF页面内使用IFrame时.该页面未呈现.

When I use IFrame inside a JSF page that refering to external web page. the page isn't rendered.

JSF代码:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html">

<f:loadBundle basename="resources.application" var="msg" />
<h:head>
<title>E-Payment Gateway</title>
<link type="text/css" rel="stylesheet"
    href="${facesContext.externalContext.requestContextPath}/resources/css/main_style.css" />

</h:head>

<h:body>
<f:view>
     <div style="height: 200px;">

    </div> 
    <div class="centercol" style="margin: auto;position: relative">
        <iframe
            src="http://google.com">
        </iframe>
    </div>
</f:view>
</h:body>

HTML结果

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>

<title>E-Payment Gateway</title>

<link type="text/css" rel="stylesheet" href="/EPG_WEB_CUST/resources/css/main_style.css" /></head><body>
     <div style="height: 200px;">

    </div> 
    <div class="centercol" style="margin: auto;position: relative">
        <iframe src="http://google.com">
 #document<html><head></head><body></body></html></iframe>
    </div></body></html>

我不知道是什么原因引起的，它总是显示空的经过重新调整的HTML

I don't know what causes this problem, It always display empty renedered HTML

推荐答案

问题不在于JSF或防火墙.

The problem is not with JSF or firewall.

您尝试在不同域的iFrame中使用http://google.com.这是一种潜在的安全威胁，称为跨站点脚本(XSS).您问题的答案在于google的http标头.

Your trying to use http://google.com inside an iFrame which is in different domain. This is a potential security threat, it is called Cross Site Scripting(XSS). The answer for your problem lies in the http header of google.

为了避免XSS攻击，google添加了以下标头.

In order to avoid XSS attack, google has added the following headers.

X-FRAME-OPTIONS
X-XSS-PROTECTION

换句话说，由于上述标头，您无法在不同域的iFrame中访问它们，了解有关XSS的更多信息此处

In other words because of the above headers you cannot access them inside an iFrame which is in different domain, learn more about XSS here and about Same Origin Policy here

希望这可以解决您的问题.

Hope this solves your problem.

这篇关于如果使用外部URL，则无法在JSF中呈现iFrame的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！