[英]Why does only IE check the X-Frame-Options Header when iFrame src sends a file?
Debugging a strange problem, I stumbled across an interesting behaviour: 调试一个奇怪的问题后,我偶然发现了一个有趣的行为:
On a web page, I trigger a file download with the following JavaScript code: 在网页上,我使用以下JavaScript代码触发文件下载:
var iframe = document.createElement("iframe");
iframe.src = 'download.php';
document.body.appendChild(iframe);
The PHP script download.php sends a text file with the X-Frame-Options header set to DENY: PHP脚本download.php发送一个X-Frame-Options标头设置为DENY的文本文件:
<?php
header('X-Frame-Options: DENY');
header('Content-type: text/plain');
header('Content-Disposition: attachment; filename="text.txt"');
?>
Text
Chrome and Firefox allow the file download, IE 11 shows an iframe with a message saying the content can't be embedded. Chrome和Firefox允许下载文件,IE 11显示一个iframe,并显示一条消息,指出内容无法嵌入。
What is the correct behaviour? 正确的行为是什么? To me, it makes much more sense what IE does.
对我来说,IE所做的事情更有意义。
X-Frame-Options
exists to prevent click-jacking. X-Frame-Options
可以防止点击劫持。 Preventing a file from being downloaded is not something that X-Frame-Options
aims to achieve, since such a restriction can easily be bypassed by opening a link in a new window. 阻止文件下载不是
X-Frame-Options
想要实现的目标,因为可以通过在新窗口中打开链接来轻松绕过这种限制。
Therefore the behavior of Chrome and Firefox is correct. 因此,Chrome和Firefox的行为是正确的。
(See also https://crbug.com/331211 "The X-Frame-Options flags aren't intended to prevent downloading. They only prevent displaying the page as a subframe.") (另请参见https://crbug.com/331211 “ X-Frame-Options标志并非旨在阻止下载。它们仅阻止将页面显示为子帧。”)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.