无法配置标头安全性中间件CakePHP

Question

我有一个使用CakePHP构建的网站，默认情况下它不允许将子域嵌入到iframe中。

1. 我在nginx/conf.d上配置了Frame Option，现在我的主页可以嵌入子域的iframe中了。

2. 但是，另一篇文章无法嵌入子域的iframe中。 （exp：http://example.net/postabc将不会显示）。我试图更改Header安全中间件的选项（请在下面阅读）。

3. 我是否需要在任何地方将配置更改为可以显示所有帖子？

<?php
namespace Cake\Http\Middleware;
use InvalidArgumentException;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;

class SecurityHeadersMiddleware
{
    protected $headers = [];

    public function noSniff()
    {
        $this->headers['x-content-type-options'] = 'nosniff';

        return $this;
    }
    public function noOpen()
    {
        $this->headers['x-download-options'] = 'noopen';

        return $this;
    }

    public function setReferrerPolicy($policy = 'same-origin')
    {
        $available = [
            'no-referrer', 'no-referrer-when-downgrade', 'origin',
            'origin-when-cross-origin',
            'same-origin', 'strict-origin', 'strict-origin-when-cross-origin',
            'unsafe-url'
        ];

        $this->checkValues($policy, $available);
        $this->headers['referrer-policy'] = $policy;

        return $this;
    }

    public function setXFrameOptions($option = 'allow-from', $url = 'http://subdomain.example.net')
    {
        $this->checkValues($option, ['deny', 'sameorigin', 'allow-from']);

        if ($option === 'allow-from') {
            if (empty($url)) {
                throw new InvalidArgumentException('The 2nd arg $url can not be empty when `allow-from` is used');
            }
            $option .= ' ' . $url;
        }

        $this->headers['x-frame-options'] = $option;

        return $this;
    }

    public function setXssProtection($mode = 'block')
    {
        $mode = (string)$mode;

        if ($mode === 'block') {
            $mode = '1; mode=block';
        }

        $this->checkValues($mode, ['1', '0', '1; mode=block']);
        $this->headers['x-xss-protection'] = $mode;

        return $this;
    }


    public function setCrossDomainPolicy($policy = 'all')
    {
        $this->checkValues($policy, ['all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename']);
        $this->headers['x-permitted-cross-domain-policies'] = $policy;

        return $this;
    }


    protected function checkValues($value, array $allowed)
    {
        if (!in_array($value, $allowed)) {
            throw new InvalidArgumentException(sprintf(
                'Invalid arg `%s`, use one of these: %s',
                $value,
                implode(', ', $allowed)
            ));
        }
    }


    public function __invoke(ServerRequestInterface $request, ResponseInterface $response, $next)
    {
        $response = $next($request, $response);
        foreach ($this->headers as $header => $value) {
            $response = $response->withHeader($header, $value);
        }

        return $response;
    }
}