简体繁体 English

了解HTTP标头X-Frame-Options

[英]Understanding HTTP header X-Frame-Options

原文 2012-09-29 02:22:33 4 1 http/ header

Regarding the X-Frame-Options ( https://developer.mozilla.org/en-US/docs/The_X-FRAME-OPTIONS_response_header ), I'm having a bit of a hard time parsing what the docs say and what I'm seeing. 关于X-Frame-Options（ https://developer.mozilla.org/en-US/docs/The_X-FRAME-OPTIONS_response_header ），我很难解析文档的内容和我的我在看 My understanding is that when the page returns SAMEORIGIN, browsers will only load the contents of the frame if the page that had the IFRAME came from the same domain. 我的理解是，当页面返回SAMEORIGIN时，如果具有IFRAME的页面来自同一域，则浏览器将仅加载框架的内容。

I've got three machines. 我有三台机器。 When I'm logged into SERVER-A, I navigate to a page that is hosted on SERVER-A. 登录到SERVER-A后，我导航到SERVER-A上托管的页面。 It contains an IFrame that loads a page from SERVER-B but it's in a different domain. 它包含一个IFrame，可从SERVER-B加载页面，但它位于其他域中。 This all works... but when I go to SERVER-C and browse to the same page (that's served from SERVER-A), it won't load. 所有这些都可以工作...但是当我转到SERVER-C并浏览到同一页面（由SERVER-A提供）时，它将不会加载。 Looking at the IE Debugging Tools, the request for that IFramed page shows a status of aborted. 查看IE调试工具，对该IFramed页面的请求显示中止状态。

Ideas? 有想法吗？

1 个解决方案

This is working as you'd expect from server C - you've stated that the iFrame shouldn't load in a page from a different domain in the X-Frame-Options, and it didn't. 正如您期望的那样，它可以在服务器C上正常工作-您已声明不应将iFrame从X-Frame-Options中的其他域加载到页面中，而应该加载该页面。 This security policy isn't applied for pages loaded from localhost, which sounds like it's what's happening here when you're on server A, similarly to this situation . 与此情况类似，此安全策略不适用于从本地主机加载的页面，这听起来像是当您在服务器A上时在这里发生的情况。

You haven't said which of the pages you've applied the X-Frame-Options to: it matters that it was on the page in the iFrame (ie on Server B in your setup). 您尚未说明已将X-Frame-Options应用于哪个页面：至关重要的是，它位于iFrame的页面上（即，设置中的服务器B）。 I don't think applying the header to server A will have made a difference. 我认为将标头应用于服务器A不会有所作为。