我已经看过related question,很遗憾,它没有给我任何解决方案的提示。
我有一个可以在本地完美运行的Web应用程序,但是在服务器上返回了安全异常。区别在于,我通过本地计算机上的相同localhost地址提供JS静态文件,而我通过server.example.com和st.example.com提供了JS static。
由于一切都在本地运行,因此看起来我必须修复nginx设置。我已经尝试调整X-Frame-Options和CORS设置,但是看起来对我没有帮助。当前配置看起来像这样:
$ curl -I https://st.example.com/tools/static/js/clock.js
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 10 Oct 2018 20:50:11 GMT
Content-Type: application/x-javascript
Content-Length: 4680
Last-Modified: Thu, 14 Sep 2017 19:41:32 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "59badb6c-1248"
Expires: Thu, 10 Oct 2019 20:50:11 GMT
Cache-Control: max-age=31536000
Strict-Transport-Security: max-age=31536000;
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM https://www.example.com/
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, OPTIONS
Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range
Accept-Ranges: bytes
以防万一:
$ curl -I https://www.example.com/app/
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 10 Oct 2018 20:51:27 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 224876
Connection: keep-alive
Vary: Accept-Encoding
Access-Control-Allow-Methods: POST,GET,OPTIONS,PUT,DELETE
Vary: Cookie
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With,X-File-Name,Content-Type,X-CSRFToken,Authorization
Set-Cookie: csrftoken=111; expires=Wed, 09-Oct-2019 20:51:27 GMT; Max-Age=31449600; Path=/
Strict-Transport-Security: max-age=31536000;
X-Frame-Options: SAMEORIGIN
可能不相关,但是此行导致安全异常:
link.insertRule();
从同一域中加载时,同一行的工作就像吊饰一样。
我在nginx配置中缺少什么?