问题标签 [x-frame-options]

我的自定义域名有问题。我的域名提供商将重定向网站放在 iframe 中。

目前我正在使用 azurewebsites 托管，当我通过自定义域访问我的网站时，除了家庭控制器之外，我无法使用任何操作。

问题在于 x-frame-options 标头，例如：

拒绝在框架中显示“”，因为它将“X-Frame-Options”设置为“SAMEORIGIN”。

这种行为有什么解决办法吗？还是我的域名提供商的问题？

此致。

我正在使用 Laravel (4.1.*) 的开发版本，并且有一个我不想要的新默认配置：X-Frame-Options: SAMEORIGIN

目前我通过删除一行来禁用它Illuminate\Http\FrameGuard.php

我正在寻找更好的解决方案。我在 filter.php 文件中尝试过：

但它只是添加了选项（X-Frame-Options:ALLOW-ALL, SAMEORIGIN），而我需要一个覆盖。

我正在用 Django 编写一个应用程序，让用户能够从我的网站嵌入视频。我正在为用户提供 iFrame 代码以嵌入视频。我发现这是不允许的。尝试这样做时，控制台会显示以下错误：

X-Frame-Options 拒绝加载：http: //blah.com/embed/110/不允许跨域框架。

经过大量研究，我发现了发生了什么。我的问题是：有人知道像 Youtube 和 Vimeo 这样的服务是如何解决这个问题的吗？

好的，我一直在尝试研究如何使我的网站能够在 facebook 画布应用程序中工作，因为它只是显示为空白。我发现这个网站 tut 似乎对它为什么不起作用有所了解：这里和这里是git

我不知道如何从我的网站调用它，我已将文档上传到服务器，但我该如何使用它？我只能做 PHP，一点 mySQL，html 和 jquery 等......我的知识并没有跨越这么多。

任何建议将不胜感激这是我需要在我的服务器上运行的代码：

I'm using Chrome Version 31.0.1650.63 m.

Recently, I've noticed a few errors being thrown in the Chrome developer console, but nothing seems wrong with my site. Upon investigation, they seem to be related to an embedded youtube link. The markup in question is as follows:

The video itself is irrelevant (I just grabbed the first one I saw on youtubes front page as a test), but I've included the link I'm using here in case something very specific is happening.

The response headers from the request made in Chrome are as follows:

And the errors I'm getting in the Chrome developer console are as follows:

In big red letters. The first thing I notice is that the errors both reference the value "sil", which I don't see in any of the response headers for HTTP request.

The video displays and plays fine, and the errors say that default settings will be used - so this doesn't look like an issue. However, I'm keen to understand what's going on, and why these errors are occurring.

I notice that the errors relate to XSS, and from my research, I think the X-XSS-Protection header is for IE8 only, and the value being returned from YouTube is invalid (report= et al). The X-Frame-Options header's value seems to be invalid according to the specification, but Wikipedia (I know!) references the ALLOWALL option:

In addition to that, some advertising sites return a non-standard ALLOWALL value with the intention to allow framing their content on any page (equivalent of not setting X-Frame-Options at all).[31]

Is this a valid concern? Is this a Chrome parsing error, an issue with youtube's headers, or am I completely missing the point?

I have also done some testing in Firefox v26, IE 11.0.6600.16476, and Opera 12.16, and none of those browsers produce this error.

I've an app, which loads data from database. In a table I'm storing some URLs EX: https://facebook.com. Remember these URLs are dynamic and are controlled in admin panel.

Now, I need to get contents of these URLs and display it inside iFrame or inside a div within my app. Idea here is user should not go away from my app.

When I tried to load https://facebook.com it never loads because they've (X-Frame-Options) enabled.

Is there any solution for this?

在 Chrome 扩展中使用 X-Frame-Options非常简单。但不幸的是，这不适用于 Chrome Web Store URL。当我尝试在 iframe 中加载https://chrome.google.com/webstore/category/apps时，我仍然收到此控制台错误：

拒绝在框架中显示“ https://chrome.google.com/webstore/category/apps ”，因为它将“X-Frame-Options”设置为“sameorigin”。

这就是在 iframe 标记中加载的内容：<html><head></head><body></body></html>

我确定我在 onHeadersReceived() 中正确删除了 X-Frame-Options 标头，因为这适用于例如http://www.google.com（如果不删除 X-Frame-Options 标头就不会） .

关于如何解决这个问题的任何想法？

我可以将 X-Frame-Options 标头添加到通过 Tomcat 提供的 JavaScript 文件吗？我正在以编程方式将标题添加到所有 jsps。

I'm writing a tool for finding css selectors on outer web page. It's plain html page that contains iframe with target site and few control elements. All logic is also in javascript using jquery, so no server-side for now.

The problem I faced is that a can't add handlers/classes to iframe document elements using Firefox 26.0 . Sample code:

I get next error message in console: Error: Permission denied to access property 'document'. I understand that it's a security feature indeed, but I just need to workaround it somehow.

What I've tried:

• Using Google Chrome - it allows to run browser with special flag (--disable-web-security) that turns off such security features. It helped and my tool is working just as I expected, but I need to use exactly Firefox.
• Using addon https://addons.mozilla.org/en-US/firefox/addon/forcecors/ . It didn't helped at all. I also tried to add x-frames-origin header by that tool, but no result.
• Turning off security.fileuri.strict_origin_policy flag in firefox configuration. Also didn't help.

Maybe I missed something and there is some other workaround/better solution? I'll appreciate any help.

Update: page and iframe are NOT on the same site. My tool is just local .html file, iframe source - any site(wikipedia, yahoo etc.)

我找到了很多关于如何删除 X-Frame-Options SAMEORIGIN 的答案，但我一直无法找到如何添加它的正确答案。

该应用程序位于 Heroku 上，并在 Rails 2.3.15 (nginx) 下运行。我不认为它是 Sinatra 应用程序（我之所以这么说只是因为没有 config.ru。一位朋友为我构建了该应用程序，但他现在无法提供帮助，所以我不肯定。）

我尝试将以下内容添加到 /app/controllers/application_controller.rb 但它只是让每个页面都返回 503：

config.action_dispatch.default_headers = { 'X-Frame-Options' => 'SAMEORIGIN' }

当失败时，我在同一个文件中尝试了这种语法：

这似乎并没有破坏任何东西，但也没有添加新的 http 标头。

您可能会说，我几乎不知道我在说什么，所以请随时与我交谈，就像我在您的回答中是一个 n00b 一样。:-)

-=-=- 编辑 -=-=-=-

自己想出来为应用程序本身提供的页面添加 http 标头。

将此添加到 /app/controllers/application_controller.rb ：

before_filter :default_headers

仍然不知道如何将它添加到我在应用程序外部的几个页面中，在 /public/ 中，所以在这方面欢迎指针。