跟踪X-Frame-Options标题 [英] Tracking down X-Frame-Options header

问题描述

我们与一家公司合作，该公司的网站将在IFRAME中显示我们的内容。我理解标题是什么以及它做了什么以及为什么，我需要帮助的是追踪它的来源！

We've partnered with a company whose website will display our content in an IFRAME. I understand what the header is and what it does and why, what I need help with is tracking down where it's coming from!

Windows Server 2003 / IIS6
容器页面： https://testDomain.com/test.asp
IFRAME内容： https ：//ourDomain.com/index.asp？lots_of_parameters，_wheeeee

Windows Server 2003/IIS6 Container page: https://testDomain.com/test.asp IFRAME Content: https://ourDomain.com/index.asp?lots_of_parameters,_wheeeee

在安装了Firebug的Firefox 24中进行测试。 （IE和Chrome做同样的事情。）同时运行Fiddler，这样我就能看到网络流量。

Testing in Firefox 24 with Firebug installed. (IE and Chrome do the same thing.) Also running Fiddler so I can watch network traffic while I'm at it.

为了简单起见，我创建了一个页面什么都没有，但有问题的IFRAME - 相同的物理服务器，不同的域/站点 - 它失败了

For simplicity's sake, I created a page with nothing on it but the IFRAME in question - same physical server, different domain/site - and it failed with

Load denied by X-Frame-Options: https://www.google.com/ does not permit cross-origin framing.

（这是在Firebug控制台中。）我很困惑因为：

(That's in the Firebug console.) I'm confused because:

1. Google未在包含应用或IFRAMEd应用中的任何位置引用。所有javascript库都保存在本地;应用中没有分析。没有谷歌，没有。

1. Google is not referenced anywhere in the containing app, or in the IFRAMEd app. All javascript libraries are kept locally; there is no analytics in the app. No Google, nowhere.

包含的页面上没有任何内容，除了IFRAME。没有html标签，没有头标签，没有body标签。 IFRAME。就是这样。

The containing page has NOTHING on it, except the IFRAME. No html tags, no head tag, no body tag. IFRAME. That's it.

服务器上的IIS中不存在X-FRAME-OPTIONS标头：不在网站节点，不在单个网站中。

The X-FRAME-OPTIONS header does not exist in IIS on the server: not at the "Websites" node, not in the individual sites.

那么他的双棒是来自哪里？我错过了什么？

So where the h-e-double-sticks is that coming from? What am I missing?

有趣的一点：如果我从IFRAME网址中删除httpS，它就可以了。鉴于数据的性质，需要SSL。

Interesting point: if I remove http"S" from the IFRAME url, it works. Given the nature of the data, SSL is required.

推荐答案

您可以查看global.asax.cs，该应用可能正在添加每个响应的标头自动。如果你只是在应用程序中搜索x-frame-options，你也可以找到一些东西。

You might check global.asax.cs, the app could be adding the header to every response automatically. If you just search the app for "x-frame-options" you might find something also.

这篇关于跟踪X-Frame-Options标题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！