堆栈内存溢出
  简体   繁体   English

知道受X-Frame-Options保护的POST表单的状态

[英]Knowing the status of a form POST that is protected by X-Frame-Options

 原文  2011-06-20 07:51:29       http/ google-chrome/ post/ x-frame-options

问题描述

I am going to describe my specific case below, but this might be useful to a number of web-mashups. 我将在下面描述我的具体情况,但这可能对许多Web混搭有用。

My web application POSTs to Twitter by filling a form and then submitting it (via javascript). 我的Web应用程序通过填写表单然后提交(通过javascript)将信息发布到Twitter。 The target of the form is set to an iframe which has an onload trigger. 表单的target设置为具有onload触发器的iframe When the onload trigger is called the application knows that the POST was completed. onload触发器时,应用程序知道POST已完成。

This used to work fine until Chrome version 11, which now respects the X-Frame-Options=SAMEORIGIN sent by Twitter in the POST response. 在Chrome版本11之前,该方法一直可以正常工作,直到Chrome版本11现在尊重Twitter在POST响应中发送的X-Frame-Options=SAMEORIGIN The POST goes through, but the iframe's onload is not called anymore. POST可以通过,但不再调用iframe's onload

It still works in Firefox 4, but I suppose that's a bug that will eventually get fixed. 它仍然可以在Firefox 4中使用,但是我想这是一个错误,最终将得到修复。

Is there any other way to know the status of the POST? 还有其他方法可以知道POST的状态吗? I understand that knowing the contents of the POST response would violate the security policy, but I am not interested in the contents. 我了解知道POST响应的内容将违反安全策略,但是我对内容不感兴趣。 I would just like the app to be notified when the POST is completed. 我只希望在POST完成后通知应用程序。

2 个解决方案

解决方案1
 1 已采纳  2011-09-06 13:39:52

If you just need to know when the POST was submitted, and not necessarily whether it succeeded or not, you could poll the iframe's contentWindow and contentWindow.document on an interval. 如果您只需要知道POST的提交时间,而不必知道它是否成功,则可以按一定的时间间隔轮询iframe的contentWindowcontentWindow.document When you can no longer access one of those objects, or when the document has an empty body, that means that the iframe has loaded a page with X-Frame-Options restrictions, which likely means that the submission went through. 如果您无法再访问这些对象之一,或者文档的正文为空,则表示iframe加载了具有X-Frame-Options限制的页面,这很可能意味着提交已通过。 It's hacky, but it looks like it will work for this purpose. 它很hacky,但看起来可以用于此目的。 (You'll probably have to go through a few combinations to figure out what the contents of restricted iframes look like in your target browsers.) (您可能必须进行几种组合才能确定目标浏览器中受限iframe的内容。)

解决方案2
 0  2011-12-13 11:50:44

You can do it by getting the headers of the page. 您可以通过获取页​​面标题来实现。 In php it will be looks like, 在php中,

$url = 'http://www.google.com';
print_r(get_headers($url));

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 错误响应时出现X-Frame-Options标头 - X-Frame-Options header on error response 了解HTTP标头X-Frame-Options - Understanding HTTP header X-Frame-Options X-Frame-options是否也适用于本地文件? - Does X-Frame-options works for local files too? Web浏览器不支持X-Frame-Options? - Web browser that does not respect X-Frame-Options? 创建帧重定向会导致Chrome丢弃X-Frame-Options错误 - Creating a frame redirect causes Chrome to throw X-Frame-Options error 如何绕过 X-Frame-Options: SAMEORIGIN HTTP 标头? - How Can I Bypass the X-Frame-Options: SAMEORIGIN HTTP Header? Content-Security-Policy 如何与 X-Frame-Options 一起使用? - How does Content-Security-Policy work with X-Frame-Options? X-Frame-Options和Content-Security-Policy标头之间的安全性差异? - Security difference between X-Frame-Options and Content-Security-Policy headers? 在 spring-boot 应用程序中启用 X-Frame-Options header(没有 spring 安全性) - enable X-Frame-Options header in spring-boot application (without spring security) 为什么当iFrame src发送文件时,仅IE会检查X-Frame-Options标头? - Why does only IE check the X-Frame-Options Header when iFrame src sends a file?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM