设置内容安全策略,以便其他网站可以在iframe中嵌入特定的pdf文件 [英] Set content-security-policy so that other sites could embed a specific pdf file in an iframe
问题描述
在我们的IIS网站上,有一个PDF文件,我们需要允许其他网站在iframe中显示.当前,web.config中的content-security-policy是这样的:
On our IIS website, there is a PDF file that we need to allow other sites to show in an iframe. Currently the content-security-policy in the web.config is this:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="frame-ancestors 'self'" />
</customHeaders>
</httpProtocol>
</system.webServer>
因为这是pdf文件,所以我不能为此使用meta标签.由于我在任何地方都找不到答案,因此我尝试妥协并在pdf文件的子目录中使用以下命令创建了另一个web.config:
As this is a pdf file, I could not use meta tags for that. As I could not find an answer to this anywhere, I tried to compromise and created another web.config in the subdirectory of the pdf file with:
<add name="Content-Security-Policy" value="frame-ancestors '*'" />
因此尝试允许该目录中的所有文件在iframe中打开.但是,IIS抱怨我对"Content-Security-Policy"有多个定义,因此无法正常工作.
trying thus to allow all the files in that directory to open in an iframe. However, IIS complained that I have multiple definitions of "Content-Security-Policy", so that didn't work.
有什么想法吗?
推荐答案
我试图妥协并在pdf文件的子目录,其中包含:
I tried to compromise and created another web.config in the subdirectory of the pdf file with:
<add name="Content-Security-Policy" value="frame-ancestors '*'" />
因此尝试允许该目录中的所有文件在iframe.但是,IIS抱怨我有多个定义"Content-Security-Policy",因此无法正常工作.
trying thus to allow all the files in that directory to open in an iframe. However, IIS complained that I have multiple definitions of "Content-Security-Policy", so that didn't work.
这很奇怪,因为您可以在子文件夹中覆盖根web.config .
It weird because in subfolders you can override root web.config.
或者,您可以尝试 URL重写有条件地将CSP标头重写为另一个像此处.
Alternatively you can try url-rewrite to conditionally rewrite CSP header to another one as like here.
Note that PDF can be embedded anyway using Google Drive or PDF.js regardless CSP.
这篇关于设置内容安全策略,以便其他网站可以在iframe中嵌入特定的pdf文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
