Ruby-on-rails 如何在 Rails 4 控制器中为“X-Frame-Options”“允许”多个域?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/26745809/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to "allow-from" more than one domain for "X-Frame-Options" in Rails 4 controller?
提问by drumwolf
In a Ruby on Rails 4 application I'm working on, I need to make a page that will be pulled into an iframe hosted on the foo.bar.comserver, so I have this controller method:
在我正在处理的 Ruby on Rails 4 应用程序中,我需要制作一个页面,该页面将被拉入托管在foo.bar.com服务器上的 iframe 中,因此我有以下控制器方法:
def iframed_page
response.headers["X-FRAME-OPTIONS"] = "ALLOW-FROM http://foo.bar.com"
end
..and now it turns out that the client wants me to also whitelist http://foo.dev.bar.comas well.
..现在事实证明,客户也希望我也加入白名单http://foo.dev.bar.com。
I know that for setting X-FRAME-OPTIONS, the "ALLOW-FROM" option doesn't allow for multiple subdomains. But since this is the same root domain with different subdomains, would it be a little more flexible? For example, could I do something like
我知道对于设置 X-FRAME-OPTIONS,“ALLOW-FROM”选项不允许多个子域。但既然是同一个根域,不同的子域,会不会更灵活一点?例如,我可以做类似的事情
response.headers["X-FRAME-OPTIONS"] = "ALLOW-FROM http://*.bar.com"
as well?
还有吗?
回答by Andrew Carreiro
You can use the Content-Security-Policyheader instead, but it doesn't work on everything.
您可以改用Content-Security-Policy标题,但它不适用于所有内容。
response.headers["X-Content-Security-Policy"] = "frame-ancestors http://*.bar.com";
response.headers["Content-Security-Policy"] = "frame-ancestors http://*.bar.com";
Content-Security-Policywill overrideX-Frame-Optionson modern browsersX-Content-Security-Policywill overrideX-Frame-Optionson IE11
Content-Security-Policy将X-Frame-Options在现代浏览器上覆盖X-Content-Security-Policy将覆盖X-Frame-OptionsIE11
