如何绕过 X-Frame-Options: SAMEORIGIN HTTP 标头? [英] How Can I Bypass the X-Frame-Options: SAMEORIGIN HTTP Header?

问题描述

我正在开发一个需要在 iframe 中显示由另一家公司的 SharePoint 服务器提供的报告的网页.他们对此很好.

I am developing a web page that needs to display, in an iframe, a report served by another company's SharePoint server. They are fine with this.

我们试图在 iframe 中呈现的页面为我们提供了 X-Frame-Options: SAMEORIGIN，这会导致浏览器(至少 IE8)拒绝呈现框架中的内容.

The page we're trying to render in the iframe is giving us X-Frame-Options: SAMEORIGIN which causes the browser (at least IE8) to refuse to render the content in a frame.

首先，这是他们可以控制的事情还是 SharePoint 默认情况下所做的事情?如果我要求他们关闭此功能，他们甚至可以这样做吗?

First, is this something they can control or is it something SharePoint just does by default? If I ask them to turn this off, could they even do it?

第二，我可以做些什么来告诉浏览器忽略这个 http 标头并只渲染框架吗?

Second, can I do something to tell the browser to ignore this http header and just render the frame?

推荐答案

如果第二家公司很高兴您在 IFrame 中访问他们的内容，那么他​​们需要取消限制 - 他们可以在 IIS 中轻松完成此操作配置.

If the 2nd company is happy for you to access their content in an IFrame then they need to take the restriction off - they can do this fairly easily in the IIS config.

您无法绕过它，任何有效的东西都应该在安全修补程序中快速修补.如果源内容标头说在框架中不允许，您不能告诉浏览器只渲染框架.这将使会话劫持更​​容易.

There's nothing you can do to circumvent it and anything that does work should get patched quickly in a security hotfix. You can't tell the browser to just render the frame if the source content header says not allowed in frames. That would make it easier for session hijacking.

如果只有 GET 内容，您不回发数据，那么您可以获取页面服务器端并代理没有标题的内容，但是任何回发都应该无效.

If the content is GET only you don't post data back then you could get the page server side and proxy the content without the header, but then any post back should get invalidated.

这篇关于如何绕过 X-Frame-Options: SAMEORIGIN HTTP 标头?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！