I know I can check the request headers for the referrer. Is that enough? For example – How does a service like Disqus securely prevent another site from embedding someone else's comment thread?
Turns out what I was looking is the X-Frame-Options response header
. It lets you specify the origin an iframe can be rendered in.
More info: https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
查看浏览器标头(它们是一种非常强大且相对较新的安全性机制),但是我认为不同的浏览器在实现标头的方式上有所不同(以更改:-()
The X-Frame-Options
header only really allows for blanket DENY
and SAMEORIGIN
settings, and has been made obsolete by the newer Content-Security-Policy
headers.
CSP frame-ancestors
can be used in all modern browsers to restrict iframe embeds to certain domains. Eg:
Content-Security-Policy: frame-ancestors 'self' https://www.example.org;
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.