stackoom
  简体   繁体   中英

How to restrict an iframe to a specific domain

 原文  2013-11-11 18:39:51       html/ security/ iframe

Question

I know I can check the request headers for the referrer. Is that enough? For example – How does a service like Disqus securely prevent another site from embedding someone else's comment thread?

3 answers

solution1
 1  2013-11-11 19:08:46

Turns out what I was looking is the X-Frame-Options response header . It lets you specify the origin an iframe can be rendered in.

More info: https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options

solution2
 0  2013-11-13 16:08:52

查看浏览器标头(它们是一种非常强大且相对较新的安全性机制),但是我认为不同的浏览器在实现标头的方式上有所不同(以更改:-()

solution3
 0  2021-11-16 17:20:11

The X-Frame-Options header only really allows for blanket DENY and SAMEORIGIN settings, and has been made obsolete by the newer Content-Security-Policy headers.

CSP frame-ancestors can be used in all modern browsers to restrict iframe embeds to certain domains. Eg:

Content-Security-Policy: frame-ancestors 'self' https://www.example.org;

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to get the iframe url for specific domain in WordPress How to restrict highlighting an iframe How to postMessage in JS to specific script in iframe in another domain How to restrict website to load only inside an iframe? How to restrict user to access iframe in separate tab? Can i restrict what parent (html only) access my child iframe(PHP) which is on different domain? load specific div from external website in another domain into iframe how to add iframe from different domain How to change a Jitsi IFrame API domain? How to style content of iframe on different domain?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM