在我的快递应用程序中,在dev.example.com上运行,我有这一行:
// on my own domain: dev.example.com on port 80
server.use(helmet.xframe('allow-from', 'http://example.com'));
...
server.get('/content', function(req, res) { .... });
以及在example.com:9000上运行的另一个快速应用程序,我在iframe中有页面(索引):
<div>
<iframe src="http://dev.example.com/content" width=10 height=10></iframe>
</div>
但是,当我转到example.com/时会出现错误:
Invalid 'X-Frame-Options' header encountered when loading 'http://dev.example.com/content': 'ALLOW-FROM http://example.com' is not a recognized directive. The header will be ignored.
我试过了:
server.use(helmet.xframe('sameorigin')); OR
server.use(helmet.xframe('allow-from', 'http://example.com:9000'));
它们都不起作用。任何的想法?