有一个本地运行的网络服务器,我想在 iframe 中有 Keycloak(在另一个域上)登录页面。我在 Keycloak Real Settings > Security Defenses > Headers > Content-Security-Policy 中尝试了以下设置
frame-src 'self' http://127.0.0.1 http://192.168.1.140 http://localhost *.home-life.hub http://trex-macbook.home-life.hub localhost; frame-ancestors 'self'; object-src 'none';
基本上,我将本地 IP 地址和主机名作为frame-src
.
登录页面未显示,我在浏览器控制台中收到此错误
Refused to display 'http://keycloak.example.com:8080/auth/realms/master/protocol/openid-connect/auth?client_id=es-openid&response_type=code&redirect_uri=https%3A%2F%2Fkibana.example.com%3A5601%2Fauth%2Fopenid%2Flogin&state=3RV-_nbW-RvmB8EfUwgkJq&scope=profile%20email%20openid' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".
我的服务器和 UI(服务器渲染)代码:
'use strict';
const Hapi = require('@hapi/hapi');
const init = async () => {
// Run server on all interfaces
const server = Hapi.server({
port: 3000,
});
await server.start();
// server.ext('onPreResponse', (req, h) => {
// req.response.header('Content-Security-Policy', "default-src 'self' *.example.com");
// console.log('req.response.headers', req.response.headers);
// return h.continue;
// });
server.route({
method: 'GET',
path: '/home',
handler: () => {
return `<html>
<head>
<title>searchguard kibana openid keycloak</title>
</head>
<body>
<p>
<iframe src="https://kibana.example.com:5601" width="800" height="600"></iframe>
</p>
</body>
</html>`;
},
});
server.route({
method: '*',
path: '/{path*}',
handler: (req, h) => {
return h.redirect('/home');
},
});
console.log('Server running on %s', server.info.uri);
};
process.on('unhandledRejection', (err) => {
console.log(err);
process.exit(1);
});
init();
iframe 最后应该在 kibana.example.com 上显示一个页面。Keycloak 用作 kibana.example.com 的身份提供者。