[英]Internet Explorer X-Frame-Options ALLOW-FROM not working in IE 11 and Edge
I am having an issue using X-Frame-Options
to embed one site as an iFrame into another (different domains) with IE 11 and Edge.我在使用
X-Frame-Options
通过 IE 11 和 Edge 将一个站点作为 iFrame 嵌入到另一个(不同的域)时遇到问题。 My research and experience indicate that IE doesn't yet support CSP Level 2 frame-ancestors, so I must use X-Frame-Options
.我的研究和经验表明 IE 尚不支持 CSP Level 2 框架祖先,因此我必须使用
X-Frame-Options
。
I have added the response header X-Frame-Options: ALLOW-FROM https://<mysite>.com
to the site that needs to be embedded.我已将响应头
X-Frame-Options: ALLOW-FROM https://<mysite>.com
到需要嵌入的站点。
These are secured sites so I am unable to provide real URLs to this community.这些是安全站点,因此我无法提供该社区的真实 URL。
When I launch the main site, which contains an iFrame with content from the second site, I am able to see the X-Frame-Options
header in the response for the iframe content and it looks to be applied correctly.当我启动包含来自第二个站点的内容的 iFrame 的主站点时,我能够在 iframe 内容的响应中看到
X-Frame-Options
标头,并且它看起来应用正确。 However, IE indicates "...modified this page to help prevent cross-site scripting" and my frame contains only the #
symbol.但是,IE 指示“...修改此页面以帮助防止跨站点脚本”,而我的框架仅包含
#
符号。
Due to timing and internal IT delays, I am unable to have both sites hosted in the same domain.由于时间安排和内部 IT 延迟,我无法将两个站点托管在同一域中。
Can anyone help to explain what I did wrong in implementing X-Frame-Options
or if there is another option to achieve the desired effect?任何人都可以帮助解释我在实施
X-Frame-Options
时做错了什么,或者是否有另一种选择来达到预期的效果?
IE 11 not following standard , which means can not use "*", so have to give domain name with http/https. IE 11 不符合标准,即不能使用“*”,所以必须给域名加上 http/https。
def cors_set_access_control_headers
headers["Access-Control-Allow-Origin"] = "*"
headers["Access-Control-Allow-Methods"] = "GET"
headers["Access-Control-Request-Method"] = "*"
headers["Access-Control-Allow-Headers"] = "Origin, X-Requested-With, Content-Type, Accept, Authorization"
headers["X-Frame-Options"] = "ALLOW-FROM http://172.16.1.159"
headers["X-XSS-Protection"] = "0"
end
It turns out that the issue wasn't related to frames.事实证明,该问题与帧无关。 The framed content had the same XSS error/note when accessed directly vs through an embedded iframe.
直接访问与通过嵌入式 iframe 访问时,框架内容具有相同的 XSS 错误/注释。 The timing of the error showing threw me off since it was coincidental to the implementation of CSP level 2 frame-ancestors.
错误显示的时间让我失望,因为它与 CSP 级别 2 帧祖先的实现是巧合的。
I have opened a case with MS to determine what in the content the XSS engine doesn't like and have had to disable the XSS in IE browsers with the X-XSS-Protection:0 response header.我已经与 MS 打开了一个案例,以确定 XSS 引擎不喜欢内容中的哪些内容,并且不得不使用 X-XSS-Protection:0 响应标头禁用 IE 浏览器中的 XSS。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.