某些网站不会出现Iframe和.load（）函数 [英] Certain websites won't appear with Iframe and .load() function

问题描述

我试图在另一个网页（不是我的服务器上托管的网页）上加载网页，但由于跨网站/安全脚本，我无法加载某些网页。例如，google不会显示在iframe中，或者我使用jquery：

 < script> 
 $（＃siteload）。html（'< object data =http://google.com>'）; 
< / script> 
  

只是说明一点：我并非试图加载谷歌，只是任何网页，不会允许iframe ..

有人知道解决方法吗？如何加载我的服务器上的.html文件，将工作？ &安培;如何？

感谢您的帮助。

解决方案

网站开发者可以在响应中设置某些标题，以控制哪些URL（其他网站）可以将它们的内容加载到< iframe>，< frame>或< object> 。这是一种保护您的网站免受攻击的方式，如点击劫持。例如：大多数浏览器都支持 -Frame-Optionsrel =nofollow> X-Frame-Options header

X-Frame-Options有三种可能的值： p>

  DENY 
无论站点尝试这样做，页面都不能显示在框架中。 
 
 SAMEORIGIN 
页面只能以与页面本身相同的起源框架显示。 
 
允许 - 从uri 
页面只能显示在指定原点的框架中。 
  

请注意，Chrome，Safari不支持X-Frame-Options：Allow-From等等。现在的浏览器使用新的内容安全策略（CSP）来处理这些内容。 所以你可以使用新的标题来控制它：

Content-Security-Policy：frame-ancestors

$ b 所有新浏览器支持的CSP 2.0都完全向后兼容。

我知道这一点是不是你的问题的答案，但这些信息会给你一些观点，你为什么不能将网站加载到你的iFrame。

I'm trying to load webpages on an another webpage (not hosted on my server), but due to cross-site/security scripting I'm unable to load up certain webpages. For example, google won't show up in an iframe or if I use jquery:

 <script>
      $("#siteload").html('<object data="http://google.com">');
    </script>

Just a note: I'm not trying to load google specifically, just any webpage that won't allow iframes..

Does anybody know of a workaround? How about loading an .html file on my server, will that work? & how?

Thank you for your help.

解决方案

This is done on purpose, website developers can set certain headers in the response to control which URL's (other websites) can load their content in <iframe>, <frame> or <object>. This is a way of protecting your website from attacks like Clickjacking.

For example: most of the browsers support the X-Frame-Options header

There are three possible values for X-Frame-Options:

DENY
The page cannot be displayed in a frame, regardless of the site attempting to do so.

SAMEORIGIN
The page can only be displayed in a frame on the same origin as the page itself.

ALLOW-FROM uri
The page can only be displayed in a frame on the specified origin.

Note that X-Frame-Options: Allow-From is not supported by Chrome, Safari etc.

The modern browsers handle these with the new Content Security Policy (CSP). So you can control this using the new header:

Content-Security-Policy: frame-ancestors

The CSP 2.0 which is supported by all the newer browsers are fully backward compatible as well.

I know this is not the answer to your question, but this information will give you some perspective into why you are not able to load the websites into your iFrame.

这篇关于某些网站不会出现Iframe和.load（）函数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！