我正在尝试在y.example.com托管的网页上显示来自x.example.com的iframe
以下是我为
所做的设置Tomcat的:
<filter>
<filter-name>ClickJackFilterEnabled</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>false</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>ClickJackFilterEnabled</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Spring Security:
httpResponse.setHeader("Content-Security-Policy", "default-src 'self' *.example.com; style-src 'self' *.googleapis.com *.amazonaws.com 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self' *.example.com; font-src *;img-src 'self' *.amazonaws.com");
httpResponse.setHeader("Access-Control-Allow-Origin", "http://*.example.com");
当我打开包含嵌入式iframs的页面时,我仍然收到此错误:
Refused to display 'http://x.example.com/' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
Uncaught SecurityError: Sandbox access violation: Blocked a frame at "http://y.example.com" from accessing a frame at "http://x.example.com". The frame being accessed is sandboxed and lacks the "allow-same-origin" flag.
当我使用curl检查标题时,标题X-Frame-Options不存在
这是curl的输出
* Rebuilt URL to: y.example.com/
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 127.0.0.1...
* Connected to y.example.com (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: y.example.com
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Application-Context: application:dev:8080
< Content-Security-Policy: default-src 'self' *.example.com; style-src 'self' *.googleapis.com *.amazonaws.com 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self' *.example.com; font-src *;img-src 'self' *.amazonaws.com
< Access-Control-Allow-Origin: http://*.example.com
< Content-Type: text/html;charset=UTF-8
< Content-Language: en-IN
< Transfer-Encoding: chunked
< Date: Wed, 20 Jul 2016 13:21:57 GMT
<
{ [8200 bytes data]
我错过了什么?
更新:
我试图设置
document.domain = "example.com"
在两个网页上,我仍然收到错误
Refused to display 'http://x.example.com/' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'
当我输入
document.domain
在javascript控制台中,我正在
"example.com"
在两个网页上。因此两个页面的来源相同。
答案 0 :(得分:0)
x.example.com是发送SAMEORIGIN标头的人。 y.example.com无法覆盖此内容,因为这样就无法阻止iframe包含。站点必须向其他站点授予权限(缺少原始策略或具有权限的站点列表)以包含其内容。
检查来自 x .example.com的标题,您应该看到该政策实际上阻止了iframe。
答案 1 :(得分:0)
最后我能解决问题。问题可能在于浏览器如何处理X-Frame-Options标题。
设置背后的概念
document.domain = "example.com"
是使两个网页的原点相同。浏览器允许将源设置为父域,因此 axexample.com 处的页面可以将 document.domain 的值设置为 x.example.com 或 example.com
现在,即使将 document.domain 设置为 example.com ,我也收到了错误
Refused to display 'http://x.example.com/' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'
当我完全删除X-Freme-Options标题时,使用
http.headers().frameOptions().disable();
在securityConfiguration.java中,它有效!
我不知道浏览器没有遵守document.domain设置的原因。无法在mozilla文档或其他任何地方找到任何相关内容。希望这有助于某人。