堆栈内存溢出
  简体   繁体   English

X-Frame-Options:ALLOW-FROM HTTP和HTTPS

[英]X-Frame-Options: ALLOW-FROM HTTP and HTTPS

 原文  2017-02-02 11:34:42       c#/ asp.net/ http-headers/ x-frame-options

问题描述

With "X-Frame-Options: ALLOW-FROM" how can i allow one domain but with http and https requests? 使用“X-Frame-Options:ALLOW-FROM”我如何允许一个域但使用http和https请求?

I have the header below but the client also server the site in http://www.example.com . 我有下面的标题,但客户端也在http://www.example.com服务该网站。 

X-Frame-Options: ALLOW-FROM https://www.example.com

1 个解决方案

解决方案1
 3 已采纳  2017-02-02 15:16:26

Seems like there's no option for allowing both HTTP and HTTPS schemes within the same ALLOW-FROM header. 似乎在同一ALLOW-FROM标头中不允许同时允许HTTP和HTTPS方案。 Quoting from the spec . 引用规范

As the "ALLOW-FROM" field only supports one serialized-origin, in 由于“ALLOW-FROM”字段仅支持一个序列化原点,因此
cases when the server wishes to allow more than one resource to frame its content, the following design pattern can fulfill that need: 如果服务器希望允许多个资源构建其内容,则以下设计模式可以满足该需求:

  1. A page that wants to render the requested content in a frame supplies its own origin information to the server providing the content to be framed via a query string parameter. 想要在帧中呈现所请求内容的页面将其自己的原始信息提供给服务器,该服务器通过查询字符串参数提供要成帧的内容。

  2. The server verifies that the hostname meets its criteria, so that the page is allowed to be framed by the target resource. 服务器验证主机名是否符合其条件,以便允许页面由目标资源构成。 This may, for example, happen via a lookup of a whitelist of trusted domain names that are allowed to frame the page. 例如,这可以通过查找允许构建页面的可信域名的白名单来实现。 For example, for a Facebook "Like" button, the server can check to see that the supplied hostname matches the hostname(s) expected for that "Like" button. 例如,对于Facebook“赞”按钮,服务器可以检查所提供的主机名是否与该“赞”按钮所期望的主机名匹配。

  3. The server returns the hostname in "X-Frame-Options: ALLOW-FROM" if the proper criteria was met in step #2. 如果在步骤#2中满足适当的标准,则服务器在“X-Frame-Options:ALLOW-FROM”中返回主机名。

  4. The browser enforces the "X-Frame-Options: ALLOW-FROM" header. 浏览器强制执行“X-Frame-Options:ALLOW-FROM”标头。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何从响应中删除X-Frame-Options - How to remove X-Frame-Options from the response 如何将 X-Frame-Options 从 DENY 更改为 SAMEORIGIN - How to change X-Frame-Options" from DENY to SAMEORIGIN Webview2从Html加载时遇到Invalid X-Frame-Options header - Webview2 Invalid X-Frame-Options header encountered when loading from Html ASP.Net Core:X-Frame-Options奇怪的行为 - ASP.Net Core: X-Frame-Options strange behavior 向 MVC 4 应用程序中的所有页面添加 X-Frame-Options 标头 - Adding X-Frame-Options header to all pages in MVC 4 application ASP.NET MVC 5 默认不发送 X-Frame-Options 标头 - ASP.NET MVC 5 not sending X-Frame-Options header by default VS2013 Cordova插件和Azure网站的X-Frame-Options标头问题 - VS2013 Cordova plugin and X-Frame-Options header issues with Azure websites X-Frame-Options拒绝加载:网站名称/注册不允许MVC5中的跨域框架 - Load denied by X-Frame-Options: websitename/Register does not permit cross-origin framing in MVC5 如何删除 AS.NET CORE 应用程序内部视图的 X-FRAME-OPTIONS - How to remove X-FRAME-OPTIONS for views inside ASPNET CORE application ASP.NET MVC(.NET 4.5.1)中的X-Frame-Options错误 - X-Frame-Options bug in ASP.NET MVC (.NET 4.5.1)
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM