如何在服务器上将X-Frame选项设置为ALLOW-FROM https://example.com和SAMEORIGIN [英] How to set X-Frame Options to ALLOW-FROM https://example.com and SAMEORIGIN on server

查看:5067
本文介绍了如何在服务器上将X-Frame选项设置为ALLOW-FROM https://example.com和SAMEORIGIN的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我需要将服务器级别上的X-Frame选项设置为:

I have a requirement to set the X-Frame options on the server level to either:


  • X-Frame-Options: SAMEORIGIN
  • X-Frame-Options: ALLOW-FROM https://example.com/

了解X -Frame选项是互斥的。请参见此处

Understand that X-Frame Options are mutually exclusive. See here.

但是,我的申请需要在 https://example.com 以及 SAMEORIGIN

However, my application requires framing in https://example.com and also from its SAMEORIGIN.

请保留我的应用程序要求允许的方法在同一个来源上构建框架,并在 1个外部网站上框架。

Please advise if there is a way around this while retainining my application's requirement to having allow framing on the same origin and be framed on 1 external site.

或者这是不可能的?

推荐答案

除了只支持一个标题实例外, X-Frame-Options 不支持任何一个以上的网站, SAMEORIGIN 或不支持。

In addition to only supporting one instance of the header, X-Frame-Options does not support any more than just one site, SAMEORIGIN or not.

你必须使用 Content-Security-Policy frame-ancestors ,它支持多个来源,如下所示:

You'll have to use Content-Security-Policy and frame-ancestors, which does support multiple origins, like so:

Content-Security-Policy: frame-ancestors 'self' https://example.com

要记住几个注意事项:

  • frame-ancestors obsoletes X-Frame-Options - meaning that if frame-ancestors is present and the browser supports it, it will override the behaviour of X-Frame-Options.
  • Internet Explorer and Edge do not currently support the frame-ancestors directive, according to MDN. This means they will fall back to X-Frame-Options. If you need to support multiple origins in IE or Edge, see this answer on SO with a workaround.

这篇关于如何在服务器上将X-Frame选项设置为ALLOW-FROM https://example.com和SAMEORIGIN的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆