如何在 Spring Security 中禁用“X-Frame-Options"响应标头? [英] How to disable 'X-Frame-Options' response header in Spring Security?
问题描述
我的 jsp 上有 CKeditor,每当我上传内容时,都会弹出以下错误:
I have CKeditor on my jsp and whenever I upload something, the following error pops out:
Refused to display 'http://localhost:8080/xxx/xxx/upload-image?CKEditor=text&CKEditorFuncNum=1&langCode=ru' in a frame because it set 'X-Frame-Options' to 'DENY'.
我尝试删除 Spring Security,一切都像魅力一样.如何在 spring security xml 文件中禁用它?
I have tried removing Spring Security and everything works like a charm. How can I disable this in spring security xml file? What should I write between <http> tags
推荐答案
默认 X-Frame-Options 设置为拒绝,以防止 clickjacking 攻击.要覆盖它,您可以将以下内容添加到您的 spring 安全配置
By default X-Frame-Options is set to denied, to prevent clickjacking attacks. To override this, you can add the following into your spring security config
<http>
<headers>
<frame-options policy="SAMEORIGIN"/>
</headers>
</http>
这里有可用的策略选项
- DENY - 是默认值.有了这个,页面无法显示在框架中,无论站点如何尝试这样做.
- SAMEORIGIN - 我假设这就是您要查找的内容,因此页面将(并且可以)显示在与页面本身相同来源的框架中
- ALLOW-FROM - 允许您指定可在框架中显示页面的原点.
- DENY - is a default value. With this the page cannot be displayed in a frame, regardless of the site attempting to do so.
- SAMEORIGIN - I assume this is what you are looking for, so that the page will be (and can be) displayed in a frame on the same origin as the page itself
- ALLOW-FROM - Allows you to specify an origin, where the page can be displayed in a frame.
欲了解更多信息,请查看此处.
For more information take a look here.
和这里检查如何使用 XML 或 Java 配置来配置标头.
And here to check how you can configure the headers using either XML or Java configs.
请注意,您可能还需要根据需要指定适当的strategy.
Note, that you might need also to specify appropriate strategy, based on needs.
这篇关于如何在 Spring Security 中禁用“X-Frame-Options"响应标头?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
