问题::尝试从Firefox中的document
访问iframe中加载的网站的http://localhost:8080
时,出现以下错误。
错误:
SecurityError: Permission denied to access property "document" on cross-origin object
Javascript:
const innerDocument = document.getElementById('frame').contentWindow.document
我读到我需要启用CORS
/ CSP
,因此我尝试覆盖Squid代理中的以下响应标头,但仍然出现错误:
squid.conf
reply_header_replace Access-Control-Allow-Origin http://localhost:8080
reply_header_replace X-Frame-Options allow-from http://localhost:8080
reply_header_replace X-XSS-Protection 0
reply_header_replace Content-Security-Policy ... frame-ancestors 'self' http://localhost:8080;
(实际响应标题-否,编号Access-Control-Allow-Origin
):
HTTP/1.1 200 Connection established
Date: Mon, 08 Jul 2019 04:46:20 GMT
Content-Type: text/html
Last-Modified: Thu, 04 Jul 2019 12:15:37 GMT
X-Frame-Options: allow-from http://localhost:8080
X-XSS-Protection: 0
Content-Security-Policy: default-src * data: blob: 'unsafe-inline' 'unsafe-eval'; script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src * data: blob: ; style-src * data: blob: 'unsafe-inline';font-src * data: blob: 'unsafe-inline'; frame-ancestors 'self' http://localhost:8080 http://squid-proxy;
X-Content-Security-Policy: default-src * data: blob: 'unsafe-inline' 'unsafe-eval'; script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src * data: blob: ; style-src * data: blob: 'unsafe-inline';font-src * data: blob: 'unsafe-inline'; frame-ancestors 'self' http://localhost:8080 http://squid-proxy;
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
CF-RAY: 4f2f69eac8fd65a3-SYD
Content-Encoding: gzip
X-Cache: MISS from d3fc9f808bad
X-Cache-Lookup: MISS from d3fc9f808bad:3128
Transfer-Encoding: chunked
Connection: keep-alive
工具: