如何禁用Spring Security中的“X-Frame-Options”响应头？ [英] How to disable 'X-Frame-Options' response header in Spring Security?

问题描述

我在jsp上有CKeditor，每当我上传一些东西时，会弹出以下错误：

I have CKeditor on my jsp and whenever I upload something, the following error pops out:

 Refused to display 'http://localhost:8080/xxx/xxx/upload-image?CKEditor=text&CKEditorFuncNum=1&langCode=ru' in a frame because it set 'X-Frame-Options' to 'DENY'.

我尝试删除Spring Security，一切都像魅力一样。如何在spring security xml文件中禁用它？我应该在< http> 标签之间写什么

I have tried removing Spring Security and everything works like a charm. How can I disable this in spring security xml file? What should I write between <http> tags

推荐答案

默认情况下 X-Frame-Options 设置为拒绝，以防止点击劫持攻击。要覆盖此项，您可以将以下内容添加到Spring安全配置中

By default X-Frame-Options is set to denied, to prevent clickjacking attacks. To override this, you can add the following into your spring security config

<http>    
    <headers>
        <frame-options policy="SAMEORIGIN"/>
    </headers>
</http>

以下是政策的可用选项

• DENY - 是默认值。使用此页面无论站点是否尝试这样做，页面都无法显示在框架中。


• SAMEORIGIN - 我认为这正是您所寻找的，因此页面将（并且可以）显示在同一来源的框架中页面本身


• 允许来自 - 允许您指定原点，页面可以在框架中显示。

• DENY - is a default value. With this the page cannot be displayed in a frame, regardless of the site attempting to do so.
• SAMEORIGIN - I assume this is what you are looking for, so that the page will be (and can be) displayed in a frame on the same origin as the page itself
• ALLOW-FROM - Allows you to specify an origin, where the page can be displayed in a frame.

如需了解更多信息，请查看此处。

For more information take a look here.

在其中检查如何使用XML或Java配置配置标头。

And here to check how you can configure the headers using either XML or Java configs.

注意，您可能还需要指定适当的策略，根据需要。

Note, that you might need also to specify appropriate strategy, based on needs.

这篇关于如何禁用Spring Security中的“X-Frame-Options”响应头？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！