堆栈内存溢出
  简体   繁体   English

Internet Explorer X-Frame-Options ALLOW-FROM 在 IE 11 和 Edge 中不起作用

[英]Internet Explorer X-Frame-Options ALLOW-FROM not working in IE 11 and Edge

 原文  2016-08-08 19:48:56       html/ internet-explorer/ iframe/ xss/ x-frame-options

问题描述

I am having an issue using X-Frame-Options to embed one site as an iFrame into another (different domains) with IE 11 and Edge.我在使用X-Frame-Options通过 IE 11 和 Edge 将一个站点作为 iFrame 嵌入到另一个(不同的域)时遇到问题。 My research and experience indicate that IE doesn't yet support CSP Level 2 frame-ancestors, so I must use X-Frame-Options .我的研究和经验表明 IE 尚不支持 CSP Level 2 框架祖先,因此我必须使用X-Frame-Options

I have added the response header X-Frame-Options: ALLOW-FROM https://<mysite>.com to the site that needs to be embedded.我已将响应头X-Frame-Options: ALLOW-FROM https://<mysite>.com到需要嵌入的站点。

These are secured sites so I am unable to provide real URLs to this community.这些是安全站点,因此我无法提供该社区的真实 URL。

When I launch the main site, which contains an iFrame with content from the second site, I am able to see the X-Frame-Options header in the response for the iframe content and it looks to be applied correctly.当我启动包含来自第二个站点的内容的 iFrame 的主站点时,我能够在 iframe 内容的响应中看到X-Frame-Options标头,并且它看起来应用正确。 However, IE indicates "...modified this page to help prevent cross-site scripting" and my frame contains only the # symbol.但是,IE 指示“...修改此页面以帮助防止跨站点脚本”,而我的框架仅包含#符号。

Due to timing and internal IT delays, I am unable to have both sites hosted in the same domain.由于时间安排和内部 IT 延迟,我无法将两个站点托管在同一域中。

Can anyone help to explain what I did wrong in implementing X-Frame-Options or if there is another option to achieve the desired effect?任何人都可以帮助解释我在实施X-Frame-Options时做错了什么,或者是否有另一种选择来达到预期的效果?

2 个解决方案

解决方案1
 1  2019-07-24 01:14:11

IE 11 not following standard , which means can not use "*", so have to give domain name with http/https. IE 11 不符合标准,即不能使用“*”,所以必须给域名加上 http/https。

  def cors_set_access_control_headers
    headers["Access-Control-Allow-Origin"] = "*"
    headers["Access-Control-Allow-Methods"] = "GET"
    headers["Access-Control-Request-Method"] = "*"
    headers["Access-Control-Allow-Headers"] = "Origin, X-Requested-With, Content-Type, Accept, Authorization"
    headers["X-Frame-Options"] = "ALLOW-FROM http://172.16.1.159"
    headers["X-XSS-Protection"] = "0"
  end

解决方案2
 0  2016-08-09 21:09:19

It turns out that the issue wasn't related to frames.事实证明,该问题与帧无关。 The framed content had the same XSS error/note when accessed directly vs through an embedded iframe.直接访问与通过嵌入式 iframe 访问时,框架内容具有相同的 XSS 错误/注释。 The timing of the error showing threw me off since it was coincidental to the implementation of CSP level 2 frame-ancestors.错误显示的时间让我失望,因为它与 CSP 级别 2 帧祖先的实现是巧合的。

I have opened a case with MS to determine what in the content the XSS engine doesn't like and have had to disable the XSS in IE browsers with the X-XSS-Protection:0 response header.我已经与 MS 打开了一个案例,以确定 XSS 引擎不喜欢内容中的哪些内容,并且不得不使用 X-XSS-Protection:0 响应标头禁用 IE 浏览器中的 XSS。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 X-Frame-Options:允许从Wildfly中的特定域 - X-Frame-Options: ALLOW-FROM a particular domain in wildfly 加载'allow-from https 时遇到无效的'X-Frame-Options' header 不是公认的指令。 header 将被忽略 - Invalid 'X-Frame-Options' header encountered when loading 'allow-from https is not a recognized directive. The header will be ignored 如何检查对x-iframe-options ALLOW-FROM的支持? - how to check the support for x-iframe-options ALLOW-FROM? X-Frame-Options在meta标签中不起作用吗? - X-Frame-Options is not working in meta tag? X-Frame-Options错误 - X-Frame-Options error 绕过X框架选项 - Bypass X-Frame-Options 从&#39;X-Frame-Options&#39;到&#39;SAMEORIGIN - 'X-Frame-Options' to 'SAMEORIGIN X-Frame-Options的解决方法:拒绝还是sameorgin? - Workaround for X-Frame-Options:deny or sameorgin? 从“ X-Frame-Options”到“ SAMEORIGIN”。 错误 - 'X-Frame-Options' to 'SAMEORIGIN'. error Google CSE X框架选项 - Google CSE X-frame-options
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM