javascript 拒绝显示,将 X-Frame-Options 设置为 SAMEORIGIN
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/34289313/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Refused to display, set X-Frame-Options to SAMEORIGIN
提问by Computer
I have a very old site built in ASP .Net 2008 by an external team who I have no contact with. All of a sudden a page doesn't seem to render properly in Chrome and FireFox but works fine with other browsers. The page is set with an iFrame.
我有一个非常古老的网站,它是由一个我没有接触过的外部团队在 ASP .Net 2008 中构建的。突然之间,页面似乎无法在 Chrome 和 FireFox 中正确呈现,但在其他浏览器中却能正常工作。该页面设置了 iFrame。
Looking under Inspect Element (Chrome) for the page failing to render I see the error
在 Inspect Element (Chrome) 下查看无法呈现的页面,我看到了错误
Refused to display 'http://www.example.com/somepage.html' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN, SAMEORIGIN'.
So read a few articles and I may not understand this fully but it seems to me the error is, the domain requested will NOT allow itself to be displayed within a frame.
所以阅读几篇文章,我可能不完全理解这一点,但在我看来,错误是,请求的域不允许自己显示在框架内。
The URL above is not the URL I am familiar with (i.e. its third party, I don't have any control with it). Is there anyway to resolve this or is this purely the owner of the domain would have to allow? IF so why does it work in other browsers?
上面的网址不是我熟悉的网址(即它的第三方,我没有任何控制权)。有没有办法解决这个问题,或者这纯粹是域的所有者必须允许的?如果是这样,为什么它可以在其他浏览器中工作?
采纳答案by Quentin
Is there anyway to resolve this
有没有办法解决这个问题
Not at your end.
不是在你的尽头。
or is this purely the owner of the domain would have to allow?
或者这纯粹是域的所有者必须允许的?
This
这
IF so why does it work in other browsers?
如果是这样,为什么它可以在其他浏览器中工作?
Speculating a little here, but SAMEORIGIN, SAMEORIGINis not a valid value. It looks like Chrome is attempting error recovery and treating it as SAMEORIGIN
在这里推测一下,但SAMEORIGIN, SAMEORIGIN不是一个有效的值。看起来 Chrome 正在尝试错误恢复并将其视为SAMEORIGIN
回答by Frédéric
Quentin answersummaries it well.
昆汀的回答总结得很好。
In addition, if it is an external site beyond your control, they may have good reasons to forbid framing. (Like preventing click-Hymaning.)
此外,如果它是您无法控制的外部站点,他们可能有充分的理由禁止框架。(就像防止点击劫持一样。)
They may also have included a Content-Security-Policy:frame-ancestors 'self'headerwhich would have the same effect.
它们也可能包含一个具有相同效果的Content-Security-Policy:frame-ancestors 'self'标题。
(And currently, a bugin Chromium (and Chrome) causes X-Frame-Optionsto take precedence over Content-Security-Policywhile it should not.)
(目前,Chromium(和 Chrome)中的一个错误导致X-Frame-Options优先,Content-Security-Policy而它不应该。)
You may hack that if their site is served over http(not https) and you have control of a common network device through which all your users network traffic to this site must go. I mean, on that device, if it does allow you to do so, you may filter out 'undesired' headers from responses of this site.
如果他们的站点是通过http(不是https)提供服务的,并且您可以控制一个公共网络设备,那么您的所有用户到该站点的网络流量都必须通过该设备通过该设备,您可能会破解。我的意思是,在该设备上,如果它允许您这样做,您可以从该站点的响应中过滤掉“不需要的”标头。
Of course, this is a debatable hack. Depending on terms of uses of the 'victim' site, it could even be a legal issue to do so.
当然,这是一个有争议的黑客攻击。根据“受害者”网站的使用条款,这样做甚至可能是一个法律问题。
