X-Frame-Options允许从一个特定的站点允许所有 [英] X-Frame-Options ALLOW-FROM a specific site allows from all
问题描述
我正在使用Rails应用程序从abc.com提供页面。其中,我在应用程序控制器中设置响应头文件(对于通过before_filter的每个请求),以便通过仅从特定站点(xyz.com)通过iframe访问,通过以下代码:
def set_x_frame_options
response.headers [X-Frame-Options] =允许 - 从http://www.xyz.com
end
问题是,我不仅能够从abc访问页面.com在xyz上,但也在任何其他网站上。我想限制访问只有xyz.com。当我在chrome控制台中检查响应头时,我可以看到X-Frame-Options正在正确传递。所有浏览器都会发生这种情况。我错过了什么?
对于那些寻求明确答案的人来说:它并没有在webkit中实现,但据报道,从版本 18.0 。下面的ruby语法适用于OSX的Firefox 20.0:
Allow-From http://www.website.com
I'm using a rails application to serve a page from abc.com. In it, I set the response headers in my application controller (for every request through before_filter) so that it can be accessed through an iframe only from a specific site (xyz.com), through the following code:
def set_x_frame_options
response.headers["X-Frame-Options"] = "ALLOW-FROM http://www.xyz.com"
end
The problem is, not only am I able to access the page from abc.com on xyz but also on any other website. I want to limit the access to only xyz.com. When I examine the response headers in chrome console I can see the X-Frame-Options is being passed on correctly. This is happening across all browsers. Am I missing something?
For those looking for a definitive answer: it's not implemented in webkit, but does work in Firefox reportedly as of version 18.0. The following ruby syntax works for me in Firefox 20.0 on OSX:
response.headers["X-Frame-Options"] = "Allow-From http://www.website.com"
这篇关于X-Frame-Options允许从一个特定的站点允许所有的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
