如何在 Spring Security 中禁用“X-Frame-Options"响应标头? [英] How to disable 'X-Frame-Options' response header in Spring Security?
问题描述
我的 jsp 上有 CKeditor,每当我上传内容时,都会弹出以下错误:
I have CKeditor on my jsp and whenever I upload something, the following error pops out:
Refused to display 'http://localhost:8080/xxx/xxx/upload-image?CKEditor=text&CKEditorFuncNum=1&langCode=ru' in a frame because it set 'X-Frame-Options' to 'DENY'.
我尝试删除 Spring Security,一切都像魅力一样.如何在 spring security xml 文件中禁用它?
标签之间应该写什么
I have tried removing Spring Security and everything works like a charm. How can I disable this in spring security xml file? What should I write between <http>
tags
推荐答案
默认 X-Frame-Options
设置为拒绝,以防止 clickjacking 攻击.要覆盖它,您可以将以下内容添加到您的 spring 安全配置
By default X-Frame-Options
is set to denied, to prevent clickjacking attacks. To override this, you can add the following into your spring security config
<http>
<headers>
<frame-options policy="SAMEORIGIN"/>
</headers>
</http>
这里有可用的策略选项
- DENY - 是默认值.有了这个,页面无法显示在框架中,无论站点如何尝试这样做.
- SAMEORIGIN - 我假设这就是您要查找的内容,因此页面将(并且可以)显示在与页面本身相同来源的框架中
- ALLOW-FROM - 允许您指定可在框架中显示页面的原点.
- DENY - is a default value. With this the page cannot be displayed in a frame, regardless of the site attempting to do so.
- SAMEORIGIN - I assume this is what you are looking for, so that the page will be (and can be) displayed in a frame on the same origin as the page itself
- ALLOW-FROM - Allows you to specify an origin, where the page can be displayed in a frame.
欲了解更多信息,请查看此处.
For more information take a look here.
和这里检查如何使用 XML 或 Java 配置来配置标头.
And here to check how you can configure the headers using either XML or Java configs.
请注意,您可能还需要根据需要指定适当的strategy
.
Note, that you might need also to specify appropriate strategy
, based on needs.
这篇关于如何在 Spring Security 中禁用“X-Frame-Options"响应标头?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!