[英]X-Frame-Options header on error response
I found an interesting bug report related to X-Frame-Options header. 我发现了与X-Frame-Options标头相关的有趣的错误报告 。 But I dont understand how this can be security problem.
但是我不明白这怎么可能是安全问题。
Following code is given as proof of vulnerability: 给出以下代码作为漏洞证明:
require 'net/http'
require 'uri'
uri = URI.parse("https://play.google.com/#{"a" * 10000}")
@r = Net::HTTP.get_response uri
ret = @r.each_header {|x| puts x}
if ret["x-frame-options"]
puts ret["x-frame-options"]
else
puts "Missing x-frame-options!"
end
But it is trying to access an invalid URL ( https://play.google.com/aaaaaaaaa.. .) and returns an error page. 但是它试图访问无效的URL( https://play.google.com/aaaaaaaaa .. ),并返回错误页面。 In the response, x-frame-options header is missing.
在响应中,缺少x-frame-options标头。 I don't understand how this can be a security vulnerability (since it is a invalid page and its a error response)?
我不知道这怎么可能是一个安全漏洞(因为它是无效的页面,并且是错误响应)? How this can be used for clickjacking?
如何将其用于点击劫持? Why is it important for the error response also should have this header set?
为什么对于错误响应也很重要,还应该设置此标头?
您可以将以下行添加到.htaccess
Header always unset X-Frame-Options
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.