Javascript X-Frame-Options SAMEORIGIN 在我的域上阻止 iframe
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/12182768/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
X-Frame-Options SAMEORIGIN blocking iframe on my domain
提问by SupFrig
i'm using http://www.Hymanlmoore.com/colorboxto display the content of an url in a lightbox. after implementation, the colorbox did'nt showed anything.
我正在使用http://www.Hymanlmoore.com/colorbox在灯箱中显示 url 的内容。实施后,颜色框没有显示任何内容。
Later, i noticed the following error in chrome logs:
后来,我在 chrome 日志中注意到以下错误:
Refused to display document because display forbidden by X-Frame-Options.
so after documenting i added the following line to the root .htaccess of the website :
所以在记录之后,我将以下行添加到网站的根 .htaccess 中:
Header always append X-Frame-Options SAMEORIGIN
to allow iframe embedding on my own domain.
允许在我自己的域中嵌入 iframe。
But i still get the error, i'm newbie to x-frame, and i'm working on an existing application, so i thought the .htaccess solution would be nice, but can it be overrided by some code ? Notice that it's not in the server configuration.
但是我仍然遇到错误,我是 x-frame 的新手,并且我正在处理现有的应用程序,所以我认为 .htaccess 解决方案会很好,但它可以被一些代码覆盖吗?请注意,它不在服务器配置中。
回答by bogatyrjov
Try sending another X-Frame-Options header, add
尝试发送另一个 X-Frame-Options 标头,添加
<?php header('X-Frame-Options: GOFORIT'); ?>
to the top of your page. It should disable the SAMEORIGIN command.
到您的页面顶部。它应该禁用 SAMEORIGIN 命令。
回答by Hammad
According to the moz dev pages. Here is the definition of the
根据 moz 开发页面。这里是定义
SAMEORIGIN
The page can only be displayed in a frame on the same origin as the page itself.
SAMEORIGIN
页面只能显示在与页面本身相同来源的框架中。
It mean that only if you are including some page from your site would be shown.
Let suppose
这意味着只有当您包含网站中的某些页面时才会显示。
假设
- you have a website on http://foo.comand you want something to show in iframe from the http://foo.com/sec_pageit would show up in iframe
- but if you embed the same iframe(http://foo.com/sec_page) to load in http://bar.comthen it would not display anything. As the origin would be changed.
- 您在http://foo.com上有一个网站,并且您希望从http://foo.com/sec_page在 iframe 中显示一些内容,它会显示在 iframe 中
- 但是如果您嵌入相同的 iframe( http://foo.com/sec_page) 以加载到http://bar.com那么它就不会显示任何内容。因为原点会变。
You can read the full note here
回答by user_stackoverflow
You can remove the header from the response you get:
您可以从收到的响应中删除标题:
header_remove("X-Frame-Options");
header_remove("X-Frame-Options");
回答by user3467449
I've added this in httpd.conf:
我在httpd.conf:
Header unset X-Frame-Options
And it works.
它有效。
回答by AvinashSinha IT-SecurityExpert
Set XFrame Options to DENY or Sameorigin. Else it may help in crafting phishing attacks or Frame injections if your site is vulnerable to XSS attack.
将 XFrame 选项设置为 DENY 或 Sameorigin。否则,如果您的站点容易受到 XSS 攻击,它可能有助于制作网络钓鱼攻击或帧注入。
