简体   繁体   English

.headers().frameOptions().disable() 是如何工作的?

[英]How does .headers().frameOptions().disable() work?

About Spring Security to let, control and get access to the h2 web console关于Spring Security允许、控制和访问h2 web 控制台的安全性

I read these two posts:我读了这两个帖子:

In conclusion is mandatory use the following ("improved" in someway):总之,强制使用以下内容(以某种方式“改进”):

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
            .mvcMatchers("/admin/**").hasRole("ADMIN")
            ...
            .mvcMatchers("/h2-console/**").hasRole("ADMIN")
            .and()
        .csrf().ignoringAntMatchers("/h2-console/**")
            .and()
        .headers().frameOptions().disable()
            .and()

From above is better use .csrf().ignoringAntMatchers("/h2-console/**") instead of csrf().disable() it for security reasons because the disable point applies only to /h2-console/ , the latter is global and is not recommended.出于安全原因,从上面最好使用.csrf().ignoringAntMatchers("/h2-console/**")而不是csrf().disable()它,因为禁用点仅适用于/h2-console/ ,后者是全局的,不推荐。

Until here I am fine.直到这里我都很好。 And I am able to see the H2 web console once the login process happened and the user has the required role.一旦登录过程发生并且用户具有所需的角色,我就能看到 H2 web 控制台。

在此处输入图像描述

Now is mandatory use .headers().frameOptions().disable() , if is not used happens the following:现在强制使用.headers().frameOptions().disable() ,如果不使用会发生以下情况:

在此处输入图像描述

The localhost refused to connect message appears to any inner block when the mouse's cursor is over any of them当鼠标的 cursor 在其中任何一个上时, localhost refused to connect消息出现在任何内部块上

My doubts are:我的疑问是:

  1. How does .headers().frameOptions().disable() work? .headers().frameOptions().disable()是如何工作的?
  2. Is safe to use that sentence for Production Environment?将这句话用于生产环境是否安全? Consider the difference between .csrf().ignoringAntMatchers("/h2-console/**") and csrf().disable() , where the former is specific and the latter is "global" (and is not recommended).考虑.csrf().ignoringAntMatchers("/h2-console/**")csrf().disable()之间的区别,前者是特定的,后者是“全局的”(不推荐)。 Therefore perhaps would be available a specific configuration much better than .headers().frameOptions().disable() (at a first glance for me is a "global" configuration) to only apply to /h2-console/因此,可能会提供比.headers().frameOptions().disable()更好的特定配置(乍一看对我来说是“全局”配置)仅适用于/h2-console/
  3. Could .headers().frameOptions().disable() have any negative effect, directly or indirectly, for other configure(HttpSecurity http) configuration? .headers().frameOptions().disable()是否会对其他configure(HttpSecurity http)配置产生直接或间接的负面影响? (Mostly for Production) (主要用于生产)

First, let's look at the X-Frame-Options response header.首先,让我们看一下X-Frame-Options响应 header。
This header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe> .这个 header 可用于指示是否应允许浏览器在<frame><iframe>中呈现页面。
Sites can use this to avoid Clickjacking attacks, by ensuring that their content is not embedded into other sites.网站可以使用它来避免点击劫持攻击,方法是确保其内容不会嵌入到其他网站中。

Spring Security sets the X-Frame-Options response header to DENY by default. Spring Security 默认将 X-Frame-Options 响应 header 设置为DENY
This tells the browser that the page cannot be displayed in a frame, regardless of the site attempting to do so.这告诉浏览器该页面不能显示在框架中,无论站点是否尝试这样做。
Since the H2 console UI is using <frame> elements, these will not be rendered and you will see the error screen that you shared in your question.由于 H2 控制台 UI 使用<frame>元素,因此不会呈现这些元素,您将看到您在问题中共享的错误屏幕。

Spring Security allows you to customise this behaviour using .headers().frameOptions() in the Security DSL. Spring Security 允许您使用安全 DSL 中的.headers().frameOptions()自定义此行为。
If you choose to disable the X-Frame-Options header (not recommended) by setting .headers().frameOptions().disable() , then Spring Security will not add the X-Frame-Options header to the response.如果您选择通过设置.headers().frameOptions().disable()来禁用 X-Frame-Options header(不推荐),那么 Spring Security 将不会将 X-Frame-Options Z099EFB965346F339E7 添加到响应中。
This means your application could be rendered in a frame, and also could be vulnerable to Clickjacking attacks .这意味着您的应用程序可以在一个框架中呈现,也可能容易受到 Clickjacking 攻击

Instead of disabling it, it is sufficient to set X-Frame-Options to SAMEORIGIN , for this use case.对于这个用例,将 X-Frame-Options 设置为SAMEORIGIN而不是禁用它就足够了。

http
    .headers(headers -> headers
        .frameOptions(frameOptions -> frameOptions
            .sameOrigin()
        )
    )

This tells the browser that the page can only be displayed in a frame on the same origin as the page itself.这告诉浏览器页面只能显示在与页面本身同源的框架中。

Since the frames in the H2 console UI (such as http://localhost:8080/h2-console/tables.do ) are on the same origin as the the H2 console ( http://localhost:8080/h2-console ), the browser will allow them to be displayed.由于 H2 控制台 UI 中的框架(例如http://localhost:8080/h2-console/tables.do )与 H2 控制台( http://localhost:8080/h2-console )位于同一来源,浏览器将允许它们显示。

However, if a different (potentially malicious) website tried to embed one the pages, the browser would not allow it.但是,如果一个不同的(可能是恶意的)网站试图嵌入一个页面,浏览器将不允许它。

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM