jQuery 如何阻止网站在 iframe 中加载?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/19843085/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
how to block website from loading in iframe?
提问by Rishi Kumar
Recently i tried to load youtube website in an iframe, but i checked that it's not worked. i used this simple code.
最近我试图在 iframe 中加载 youtube 网站,但我检查它不起作用。我使用了这个简单的代码。
<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body>
<iframe width="1000px" height="700px" src="http://www.youtube.com" ></iframe>
</body>
</html>
i want to know , why my webpage can't load youtube website in iframe..
what code i use to load the youtube website in my webpage.
how i use same techniq in my website, so no one can add my website in iframe.
我想知道,为什么我的网页无法在 iframe 中加载 youtube 网站。
我使用什么代码在我的网页中加载 youtube 网站。
我如何在我的网站中使用相同的技术,所以没有人可以在 iframe 中添加我的网站。
回答by Krish R
For modern browser, need to enable X-Frame-Optionsin Header, The x-frame-options header can be implement through web server configuration settings.
对于现代浏览器,需要在 Header 中启用X-Frame-Options, x-frame-options 头可以通过 web 服务器配置设置来实现。
You can view the X-Frame-Optionsin Header as like below image,
您可以在标题中查看X-Frame-Options,如下图所示,
Reference: https://www.keycdn.com/blog/x-frame-options/
参考:https: //www.keycdn.com/blog/x-frame-options/
If your browser does not support it, then you will have NO clickHymaning defense in place and can use HTTP Header Field X-Frame-Options,
如果您的浏览器不支持它,那么您将没有点击劫持防御,可以使用 HTTP Header Field X-Frame-Options,
<meta http-equiv="X-Frame-Options" content="deny">
There are three possible values for X-Frame-Options:
X-Frame-Options 有三个可能的值:
DENY - The page cannot be displayed in a frame, regardless of the site attempting to do so.
DENY - 页面无法显示在框架中,无论站点是否尝试这样做。
SAMEORIGIN - The page can only be displayed in a frame on the same origin as the page itself.
SAMEORIGIN - 页面只能显示在与页面本身相同来源的框架中。
ALLOW-FROM uri - The page can only be displayed in a frame on the specified origin.
ALLOW-FROM uri - 页面只能显示在指定原点的框架中。
回答by mwoodman
As of April 2016 the accepted answer by Krish Rno longer works. Most browsersnow ignore the meta tag as recommended by RFC 7034.
截至 2016 年 4 月,Krish R接受的答案不再有效。 大多数浏览器现在忽略RFC 7034推荐的元标记。
The correct way to implement this header is to have it sent with the document by the server. See the mozilla documentation on X-Frame-Optionsfor details.
实现此标头的正确方法是让服务器将其与文档一起发送。有关详细信息,请参阅有关X-Frame-Options的 mozilla 文档。
