我怎么可以绕过X框选项：SAMEORIGIN HTTP头？ [英] How Can I Bypass the X-Frame-Options: SAMEORIGIN HTTP Header?

问题描述

我开发一个网页需要显示，在iframe中，由另一家公司的SharePoint服务器中提供的报告。它们是很好的与此有关。

I am developing a web page that needs to display, in an iframe, a report served by another company's SharePoint server. They are fine with this.

我们正在尝试在iframe中呈现的页面给我们X框选项：SAMEORIGIN这将导致浏览器（至少IE8）拒绝渲染一帧的内容。

The page we're trying to render in the iframe is giving us X-Frame-Options: SAMEORIGIN which causes the browser (at least IE8) to refuse to render the content in a frame.

首先，是这个东西，他们可以控制或者是它的SharePoint的东西只是在默认情况下呢？如果我要求他们关闭此功能，可他们甚至做呢？

First, is this something they can control or is it something SharePoint just does by default? If I ask them to turn this off, could they even do it?

二，我可以做一些事情来告诉浏览器忽略这个HTTP头，只是渲染帧？

Second, can I do something to tell the browser to ignore this http header and just render the frame?

推荐答案

如果第二个公司很高兴为您访问的IFrame其内容，那么他​​们需要采取限制了 - 他们可以在IIS做到这一点很容易配置。

If the 2nd company is happy for you to access their content in an IFrame then they need to take the restriction off - they can do this fairly easily in the IIS config.

有什么可以做，以绕过它和任何不工作应该得到的安全修补程序快速修补。你不能告诉浏览器只呈现帧，如果源内容头说不是在框架允许的。这将使它更容易为会话劫持。

There's nothing you can do to circumvent it and anything that does work should get patched quickly in a security hotfix. You can't tell the browser to just render the frame if the source content header says not allowed in frames. That would make it easier for session hijacking.

如果内容是GET只有你没有发布的数据备份，那么你可以让网页服务器端和代理无头的内容，但这时回来后应该得到无效的。

If the content is GET only you don't post data back then you could get the page server side and proxy the content without the header, but then any post back should get invalidated.

这篇关于我怎么可以绕过X框选项：SAMEORIGIN HTTP头？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！