当前位置: 文江博客 话题详情

克服“X-Frame-Options 禁止显示”问题

发布于 2024-11-19 19:03:12 字数 209 浏览 7 评论 0 原文

我正在编写一个小网页,其目的是构建一些其他页面,只是将它们合并到一个浏览器窗口中以便于查看。我尝试框架的一些页面禁止被框架并抛出“拒绝显示文档,因为 X-Frame-Options 禁止显示”。 Chrome 中的错误。我知道这是一个安全限制(有充分的理由),并且无权更改它。

是否有任何替代的框架或非框架方法可以在单个窗口中显示页面,而不会被 X-Frame-Options 标头绊倒?

原文

I'm writing a tiny webpage whose purpose is to frame a few other pages, simply to consolidate them into a single browser window for ease of viewing. A few of the pages I'm trying to frame forbid being framed and throw a "Refused to display document because display forbidden by X-Frame-Options." error in Chrome. I understand that this is a security limitation (for good reason), and don't have access to change it.

Is there any alternative framing or non-framing method to display pages within a single window that won't get tripped up by the X-Frame-Options header?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(26

弥枳 2024-11-26 19:03:12

如果一个网站拒绝被框架,就没有办法克服这个问题。

(这篇文章之前包含了错误的建议,建议添加另一个值为 GOFORITX-Frame-Options 标头,但在所有实现中,这也会导致网站拒绝被框架并且实际上并没有解决OP的问题。)

If a website refuses to be framed, there is no way to overcome that.

(This post previously contained incorrect advice suggesting adding another X-Frame-Options header whose value is GOFORIT, but in all implementations that would also result in the website refusing to be framed and didn't actually address the question from OP.)

回复 原文
一场春暖 2024-11-26 19:03:12

如果您在 YouTube 视频中遇到此错误,请不要使用完整的 url,而是使用共享选项中的嵌入 url。它看起来像 http://www.youtube.com/embed/eCfDxZxTBW4

您也可以将 watch?v= 替换为 embed/,这样http://www.youtube.com/watch?v=eCfDxZxTBW4 变为 http://www.youtube.com/embed/eCfDxZxTBW4

If you are getting this error for a YouTube video, rather than using the full url use the embed url from the share options. It will look like http://www.youtube.com/embed/eCfDxZxTBW4

You may also replace watch?v= with embed/ so http://www.youtube.com/watch?v=eCfDxZxTBW4 becomes http://www.youtube.com/embed/eCfDxZxTBW4

回复 原文
慕巷 2024-11-26 19:03:12

如果您在尝试将 Google 地图嵌入 iframe 时遇到此错误,则需要将 &output=embed 添加到源链接。

If you are getting this error while trying to embed a Google Map in an iframe, you need to add &output=embed to the source link.

回复 原文
清晨说晚安 2024-11-26 19:03:12

更新 2019:您可以仅使用客户端绕过

UPDATE 2019: You can bypass X-Frame-Options in an <iframe> using just client-side JavaScript and my X-Frame-Bypass Web Component. Here is a demo: Hacker News in an X-Frame-Bypass. (Tested in Chrome & Firefox.)

回复 原文
平定天下 2024-11-26 19:03:12

在 facebook 选项卡中添加

  target='_top'

到我的链接解决了我的问题...

Adding a 

  target='_top'

to my link in the facebook tab fixed the issue for me...

回复 原文
转身泪倾城 2024-11-26 19:03:12

如果您在尝试嵌入 Vimeo 内容时遇到此错误,请更改 iframe 的 src,

来自:https://vimeo。 com/63534746
至:http://player.vimeo.com/video/63534746

If you're getting this error trying to embed Vimeo content, change the src of the iframe,

from: https://vimeo.com/63534746
to: http://player.vimeo.com/video/63534746

回复 原文
2024-11-26 19:03:12

当我尝试在 iframe 中嵌入moodle 2时,我遇到了同样的问题,解决方案是站点管理►安全►HTTP安全并选中允许框架嵌入

I had same issue when I tried embed moodle 2 in iframe, solution is Site administration ► Security ► HTTP security and check Allow frame embedding

回复 原文
花落人断肠 2024-11-26 19:03:12

我尝试了几乎所有的建议。然而,唯一真正解决问题的是:

  1. 在 PHP 文件所在的同一文件夹中创建一个 .htaccess

  2. 将此行添加到 htaccess:

    标头始终未设置 X-Frame-Options

通过 iframe 嵌入 PHP来自另一个域的应该随后可以工作。

另外,您可以在 PHP 文件的开头添加:

header('X-Frame-Options: ALLOW');

但是,在我的情况下没有必要。

I tried nearly all suggestions. However, the only thing that really solved the issue was:

  1. Create an .htaccess in the same folder where your PHP file lies.

  2. Add this line to the htaccess:

    Header always unset X-Frame-Options

Embedding the PHP by an iframe from another domain should work afterwards.

Additionally you could add in the beginning of your PHP file:

header('X-Frame-Options: ALLOW');

Which was, however, not necessary in my case.

回复 原文
和我恋爱吧 2024-11-26 19:03:12

将外部网站加载到 iFrame 的解决方案,即使 x-frame 选项设置为拒绝外部网站。

如果您想将其他网站加载到 iFrame 中,您会得到 显示被 X-Frame-Options 禁止” 错误,那么您实际上可以通过创建服务器端代理脚本来克服这个问题。

iFrame 的 src 属性可能有一个如下所示的 url:/proxy.php?url=https://www.example.com/page&key=somekey

然后 proxy.php 看起来像这样:

if (isValidRequest()) {
   echo file_get_contents($_GET['url']);
}

function isValidRequest() {
    return $_SERVER['REQUEST_METHOD'] === 'GET' && isset($_GET['key']) && 
    $_GET['key'] === 'somekey';
}

这绕过了块,因为它只是一个 GET 请求,可能是一个普通的浏览器页面访问。

请注意:您可能希望提高此脚本的安全性。因为黑客可以通过您的代理脚本开始加载网页。

Solution for loading an external website into an iFrame even tough the x-frame option is set to deny on the external website.

If you want to load a other website into an iFrame and you get the Display forbidden by X-Frame-Options” error then you can actually overcome this by creating a server side proxy script.

The src attribute of the iFrame could have an url looking like this: /proxy.php?url=https://www.example.com/page&key=somekey

Then proxy.php would look something like:

if (isValidRequest()) {
   echo file_get_contents($_GET['url']);
}

function isValidRequest() {
    return $_SERVER['REQUEST_METHOD'] === 'GET' && isset($_GET['key']) && 
    $_GET['key'] === 'somekey';
}

This by passes the block, because it is just a GET request that might as wel have been a ordinary browser page visit.

Be aware: You might want to improve the security in this script. Because hackers could start loading in webpages via your proxy script.

回复 原文
若言繁花未落 2024-11-26 19:03:12

这就是解决方案!

FB.Event.subscribe('edge.create', function(response) {
    window.top.location.href = 'url';
});

唯一适用于 Facebook 应用程序的东西!

This is the solution guys!!

FB.Event.subscribe('edge.create', function(response) {
    window.top.location.href = 'url';
});

The only thing that worked for facebook apps!

回复 原文
吃→可爱长大的 2024-11-26 19:03:12

如果您使用 Content-Security-PolicyX-Frame-Options Allow-From https://... 似乎已被贬值并被替换(并被忽略)标题代替。

以下是完整参考:https://content-security-policy.com/

It appears that X-Frame-Options Allow-From https://... is depreciated and was replaced (and gets ignored) if you use Content-Security-Policy header instead.

Here is the full reference: https://content-security-policy.com/

回复 原文
仄言 2024-11-26 19:03:12

我在使用 mediawiki 时遇到了同样的问题,这是因为服务器出于安全原因拒绝将页面嵌入到 iframe 中。

我解决了它写入

$wgEditPageFrameOptions = "SAMEORIGIN";

mediawiki php 配置文件。

希望有帮助。

I had the same problem with mediawiki, this was because the server denied embedding the page into an iframe for security reasons.

I solved it writing 

$wgEditPageFrameOptions = "SAMEORIGIN";

into the mediawiki php config file.

Hope it helps.

回复 原文
避讳 2024-11-26 19:03:12

未提及,但在某些情况下可以提供帮助:

var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
    if (xhr.readyState !== 4) return;
    if (xhr.status === 200) {
        var doc = iframe.contentWindow.document;
        doc.open();
        doc.write(xhr.responseText);
        doc.close();
    }
}
xhr.open('GET', url, true);
xhr.send(null);

Not mentioned but can help in some instances:

var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
    if (xhr.readyState !== 4) return;
    if (xhr.status === 200) {
        var doc = iframe.contentWindow.document;
        doc.open();
        doc.write(xhr.responseText);
        doc.close();
    }
}
xhr.open('GET', url, true);
xhr.send(null);
回复 原文
别理我 2024-11-26 19:03:12

FWIW:

当这个“破坏者”代码出现时,我们需要杀死我们的 iFrame 。因此,我使用 PHP function get_headers($url); 来检查远程 URL,然后再将其显示在 iFrame 中。为了获得更好的性能,我将结果缓存到一个文件中,这样我就不会每次都建立 HTTP 连接。

FWIW:

We had a situation where we needed to kill our iFrame when this "breaker" code showed up. So, I used the PHP function get_headers($url); to check out the remote URL before showing it in an iFrame. For better performance, I cached the results to a file so I was not making a HTTP connection each time.

回复 原文
痴意少年 2024-11-26 19:03:12

我使用的是 Tomcat 8.0.30,所有建议都不适合我。由于我们希望更新 X-Frame-Options 并将其设置为 ALLOW,因此我配置为允许嵌入 iframe:

  • 导航到 Tomcat conf 目录,编辑web.xml 文件
  • 添加以下过滤器:
<filter>
            <filter-name>httpHeaderSecurity</filter-name>
            <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
                   <init-param>
                           <param-name>hstsEnabled</param-name>
                           <param-value>true</param-value>
                   </init-param>
                   <init-param>
                           <param-name>antiClickJackingEnabled</param-name>
                           <param-value>true</param-value>
                   </init-param>
                   <init-param>
                           <param-name>antiClickJackingOption</param-name>
                           <param-value>ALLOW-FROM</param-value>
                   </init-param>
            <async-supported>true</async-supported>
       </filter>

       <filter-mapping>
                   <filter-name>httpHeaderSecurity</filter-name>
                   <url-pattern>/*</url-pattern>
                   <dispatcher>REQUEST</dispatcher>
       </filter-mapping>
  • 重新启动 Tomcat 服务
  • 使用 iFrame 访问资源。

I was using Tomcat 8.0.30, none of the suggestions worked for me. As we are looking to update the X-Frame-Options and set it to ALLOW, here is how I configured to allow embed iframes:

  • Navigate to Tomcat conf directory, edit the web.xml file
  • Add the below filter: 
<filter>
            <filter-name>httpHeaderSecurity</filter-name>
            <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
                   <init-param>
                           <param-name>hstsEnabled</param-name>
                           <param-value>true</param-value>
                   </init-param>
                   <init-param>
                           <param-name>antiClickJackingEnabled</param-name>
                           <param-value>true</param-value>
                   </init-param>
                   <init-param>
                           <param-name>antiClickJackingOption</param-name>
                           <param-value>ALLOW-FROM</param-value>
                   </init-param>
            <async-supported>true</async-supported>
       </filter>

       <filter-mapping>
                   <filter-name>httpHeaderSecurity</filter-name>
                   <url-pattern>/*</url-pattern>
                   <dispatcher>REQUEST</dispatcher>
       </filter-mapping>
  • Restart Tomcat service
  • Access the resources using an iFrame.
回复 原文
千鲤 2024-11-26 19:03:12

如果您不控制 iframe 中所需源的标头,唯一真正的答案就是代理它。让服务器充当客户端,接收源,去除有问题的标头,根据需要添加 CORS,然后 ping 您自己的服务器。

还有另一个答案解释了如何编写这样的代理。这并不困难,但我确信以前一定有人这样做过。由于某种原因,很难找到它。

我终于找到了一些来源:

https://github.com/Rob-- W/cors-anywhere/#documentation

^ 首选。如果你很少需要使用,我想你可以使用他的heroku应用程序。否则,它是在您自己的服务器上自行运行的代码。请注意限制是什么。

whateverorigin.org

^ 第二选择,但相当旧。据说Python中较新的选择: https://github.com/Eiledon/alloworigin

然后是第三个选择:

http://anyorigin.com/

这似乎允许一点免费使用,但会将您置于公开状态耻辱名单如果您没有支付并使用了一些未指定的金额,只有支付费用后才能将您从该金额中删除......

The only real answer, if you don't control the headers on your source you want in your iframe, is to proxy it. Have a server act as a client, receive the source, strip the problematic headers, add CORS if needed, and then ping your own server.

There is one other answer explaining how to write such a proxy. It isn't difficult, but I was sure someone had to have done this before. It was just difficult to find it, for some reason.

I finally did find some sources:

https://github.com/Rob--W/cors-anywhere/#documentation

^ preferred. If you need rare usage, I think you can just use his heroku app. Otherwise, it's code to run it yourself on your own server. Note sure what the limits are.

whateverorigin.org

^ second choice, but quite old. supposedly newer choice in python: https://github.com/Eiledon/alloworigin

then there's the third choice:

http://anyorigin.com/

Which seems to allow a little free usage, but will put you on a public shame list if you don't pay and use some unspecified amount, which you can only be removed from if you pay the fee...

回复 原文
九八野马 2024-11-26 19:03:12

唯一有一堆答案的问题。欢迎来到我希望在截止日期晚上 10:30 工作时我希望能看到的指南……FB 使用画布应用程序做了一些奇怪的事情,好吧,你已经被警告了。如果您还在这里并且您有一个将出现在 Facebook Canvas 后面的 Rails 应用程序,那么您将需要:

Gemfile:

gem "rack-facebook-signed-request", :git => 'git://github.com/cmer/rack-facebook-signed-request.git'

config/facebook.yml

facebook:
  key: "123123123123"
  secret: "123123123123123123secret12312"

config/ application.rb

config.middleware.use Rack::Facebook::SignedRequest, app_id: "123123123123", secret: "123123123123123123secret12312", inject_facebook: false

config/initializers/omniauth.rb

OmniAuth.config.logger = Rails.logger
SERVICES = YAML.load(File.open("#{::Rails.root}/config/oauth.yml").read)
Rails.application.config.middleware.use OmniAuth::Builder do
  provider :facebook, SERVICES['facebook']['key'], SERVICES['facebook']['secret'], iframe:   true
end

application_controller.rb

before_filter :add_xframe
def add_xframe
  headers['X-Frame-Options'] = 'GOFORIT'
end

您需要一个控制器来从 Facebook 的画布设置进行调用,我使用了/canvas/ 并使路由成为此应用程序的主要 SiteController


class SiteController < ApplicationController
  def index
    @user = User.new
  end
  def canvas
    redirect_to '/auth/failure' if request.params['error'] == 'access_denied'
    url = params['code'] ? "/auth/facebook?signed_request=#{params['signed_request']}&state=canvas" : "/login"
    redirect_to url
  end
  def login
  end
end

login.html.erb


<% content_for :javascript do %>
  var oauth_url = 'https://www.facebook.com/dialog/oauth/';
  oauth_url += '?client_id=471466299609256';
  oauth_url += '&redirect_uri=' + encodeURIComponent('https://apps.facebook.com/wellbeingtracker/');
  oauth_url += '&scope=email,status_update,publish_stream';
console.log(oauth_url);
  top.location.href = oauth_url;
<% end %>

Sources

  • 我认为配置来自omniauth的示例。
  • gem 文件(这是关键!!!)来自: slideshare 我学到的东西...
  • 这个堆栈问题有整个 Xframe 角度,所以你会得到一个空格,如果
    您没有将此标头放入应用程序控制器中。
  • 我的朋友 @rafmagana 写了这篇 heroku 指南,现在你可以将其用于 Rails答案和与你同行的巨人的肩膀。

The only question that has a bunch of answers. WElcome to the guide i wish i had when i was scrambling for this to make it work at 10:30 at night on the deadline day... FB does some weird things with canvas apps, and well, you've been warned. If youa re still here and you have a Rails app that will appear behind a Facebook Canvas, then you will need:

Gemfile:

gem "rack-facebook-signed-request", :git => 'git://github.com/cmer/rack-facebook-signed-request.git'

config/facebook.yml

facebook:
  key: "123123123123"
  secret: "123123123123123123secret12312"

config/application.rb

config.middleware.use Rack::Facebook::SignedRequest, app_id: "123123123123", secret: "123123123123123123secret12312", inject_facebook: false

config/initializers/omniauth.rb

OmniAuth.config.logger = Rails.logger
SERVICES = YAML.load(File.open("#{::Rails.root}/config/oauth.yml").read)
Rails.application.config.middleware.use OmniAuth::Builder do
  provider :facebook, SERVICES['facebook']['key'], SERVICES['facebook']['secret'], iframe:   true
end

application_controller.rb

before_filter :add_xframe
def add_xframe
  headers['X-Frame-Options'] = 'GOFORIT'
end

You need a controller to call from Facebook's canvas settings, i used /canvas/ and made the route go the main SiteController for this app:


class SiteController < ApplicationController
  def index
    @user = User.new
  end
  def canvas
    redirect_to '/auth/failure' if request.params['error'] == 'access_denied'
    url = params['code'] ? "/auth/facebook?signed_request=#{params['signed_request']}&state=canvas" : "/login"
    redirect_to url
  end
  def login
  end
end

login.html.erb


<% content_for :javascript do %>
  var oauth_url = 'https://www.facebook.com/dialog/oauth/';
  oauth_url += '?client_id=471466299609256';
  oauth_url += '&redirect_uri=' + encodeURIComponent('https://apps.facebook.com/wellbeingtracker/');
  oauth_url += '&scope=email,status_update,publish_stream';
console.log(oauth_url);
  top.location.href = oauth_url;
<% end %>

Sources

  • The config i think came from omniauth's example.
  • The gem file (which is key!!!) came from: slideshare things i learned...
  • This stack question had the whole Xframe angle, so you'll get a blank space, if
    you don't put this header in the app controller.
  • And my man @rafmagana wrote this heroku guide, which now you can adopt for rails with this answer and the shoulders of giants in which you walk with.
回复 原文
°如果伤别离去 2024-11-26 19:03:12 
<form target="_parent" ... />

使用 Kevin Vella 的想法,我尝试在 PayPal 按钮生成器制作的表单元素上使用上述内容。为我工作,这样 Paypal 就不会在新的浏览器窗口/选项卡中打开。

更新

以下是一个示例:

从今天(2021 年 1 月 19 日)生成按钮后,PayPal 会自动在表单target="_top" > 元素,但如果这不适用于您的上下文,请尝试不同的 target 值。我建议 _parent —— 至少在我使用这个 PayPal 按钮时是有效的。

有关详细信息,请参阅表单目标值

<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_parent">
  <input type="hidden" name="cmd" value="_xclick">
  <input type="hidden" name="business" value="[email protected]">
  <input type="hidden" name="lc" value="US">
  <input type="hidden" name="button_subtype" value="services">
  <input type="hidden" name="no_note" value="0">
  <input type="hidden" name="currency_code" value="USD">
  <input type="hidden" name="bn" value="PP-BuyNowBF:btn_buynowCC_LG.gif:NonHostedGuest">
  <input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_buynowCC_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
  <img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
</form>

<form target="_parent" ... />

Using Kevin Vella's idea, I tried using the above on the form element made by PayPal's button generator. Worked for me so that Paypal does not open in a new browser window/tab.

Update

Here's an example:

Generating a button as of today (01-19-2021), PayPal automatically includes target="_top" on the form element, but if that doesn't work for your context, try a different target value. I suggest _parent -- at least that worked when I was using this PayPal button.

See Form Target Values for more info.

<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_parent">
  <input type="hidden" name="cmd" value="_xclick">
  <input type="hidden" name="business" value="[email protected]">
  <input type="hidden" name="lc" value="US">
  <input type="hidden" name="button_subtype" value="services">
  <input type="hidden" name="no_note" value="0">
  <input type="hidden" name="currency_code" value="USD">
  <input type="hidden" name="bn" value="PP-BuyNowBF:btn_buynowCC_LG.gif:NonHostedGuest">
  <input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_buynowCC_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
  <img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
</form>
回复 原文
樱花细雨 2024-11-26 19:03:12

网站所有者使用 X-Frame-Options 响应标头,以便无法在 Iframe 中打开其网站。这有助于保护用户免受点击劫持攻击

您可以采用以下几种方法如果您想在自己的计算机上禁用 X-Frame-Options,请尝试。

服务器端配置

如果您拥有服务器或可以与站点所有者合作,那么您可以要求设置一个配置,以便根据某些条件不发送 Iframe buster 响应标头。条件可以是附加请求标头或 URL 中的参数。

例如 - 网站所有者可以添加额外的代码,以便在使用 ?in_debug_mode=true 查询参数打开网站时不发送 Iframe buster 标头。

使用像 Requestly 这样的浏览器扩展来删除响应标头

您可以使用任何浏览器扩展,例如 Requestly,它允许您修改请求和响应头。响应标头。这是一个 Requestly 博客,解释了如何通过绕过 Iframe buster 标头将网站嵌入到 Iframe

输入图片此处的描述

配置直通代理并从中删除标头

如果您需要为多个人绕过 Iframe buster 标头,那么您还可以配置一个直通代理,仅删除 Frame buster 响应标头并返回返回响应。然而,这编写和设置起来非常复杂。通过代理在 Iframe 中打开的网站还存在一些其他挑战,例如身份验证等,但这种方法可以很好地适用于简单的网站。

PS - 我已经构建了这两种解决方案,并且对这两种解决方案都有第一手经验。

Site owners use the X-Frame-Options response header so that their website cannot be opened in an Iframe. This helps to secure the users against clickjacking attack

There are a couple of approaches that you can try if you want to disable X-Frame-Options on your own machine.

Configuration at Server-Side

If you own the server or can work with the site owner then you can ask to set up a configuration to not send the Iframe buster response headers based on certain conditions. Conditions could be an additional request header or a parameter in the URL.

For example - The site owner can add an additional code to not send Iframe buster headers when the site is opened with ?in_debug_mode=true query param.

Use Browser extension like Requestly to remove response headers

You can use any browser extension like Requestly which allows you to modify the request & response headers. Here's a Requestly blog that explains how to embed sites in Iframe by bypassing Iframe buster headers.

enter image description here

Configure a Pass-through Proxy and remove headers from it

If you need to bypass Iframe buster headers for multiple folks, then you can also configure a pass-through proxy that just removes the frame buster response headers and return back the response. This is however a lot complicated to write, set up. There are some other challenges like authentication etc with the sites opened in Iframe through a proxy but this approach can work for simple sites pretty well.

PS - I have built both solutions and have first-hand experience with both.

回复 原文
再浓的妆也掩不了殇 2024-11-26 19:03:12

我不确定它有多相关,但我为此构建了一个解决方法。在我的网站上,我想在包含加载 URL 的 iframe 的模式窗口中显示链接。

我所做的是,我将链接的点击事件链接到这个 javascript 函数。所有这一切都是向 PHP 文件发出请求,该文件在决定是否在模式窗口中加载 URL 或重定向之前检查 URL 标头中的 X-FRAME-Options。

这是该函数:

  function opentheater(link, title){
        $.get( "url_origin_helper.php?url="+encodeURIComponent(link), function( data ) {
  if(data == "ya"){
      $(".modal-title").html("<h3 style='color:480060;'>"+title+"   <small>"+link+"</small></h3>");
        $("#linkcontent").attr("src", link);
        $("#myModal").modal("show");
  }
  else{
      window.location.href = link;
      //alert(data);
  }
});


        }

这是检查它的 PHP 文件代码:

<?php
$url = rawurldecode($_REQUEST['url']);
$header = get_headers($url, 1);
if(array_key_exists("X-Frame-Options", $header)){
    echo "nein";
}
else{
    echo "ya";
}


?>

希望这会有所帮助。

I'm not sure how relevant it is, but I built a work-around to this. On my site, I wanted to display link in a modal window that contained an iframe which loads the URL.

What I did is, I linked the click event of the link to this javascript function. All this does is make a request to a PHP file that checks the URL headers for X-FRAME-Options before deciding whether to load the URL within the modal window or to redirect.

Here's the function:

  function opentheater(link, title){
        $.get( "url_origin_helper.php?url="+encodeURIComponent(link), function( data ) {
  if(data == "ya"){
      $(".modal-title").html("<h3 style='color:480060;'>"+title+"   <small>"+link+"</small></h3>");
        $("#linkcontent").attr("src", link);
        $("#myModal").modal("show");
  }
  else{
      window.location.href = link;
      //alert(data);
  }
});


        }

Here's the PHP file code that checks for it:

<?php
$url = rawurldecode($_REQUEST['url']);
$header = get_headers($url, 1);
if(array_key_exists("X-Frame-Options", $header)){
    echo "nein";
}
else{
    echo "ya";
}


?>

Hope this helps.

回复 原文
热血少△年 2024-11-26 19:03:12

我在运行 WordPress 网站时遇到了这个问题。我尝试了各种方法来修复它,但不确定如何解决,最终问题是因为我使用带屏蔽的 DNS 转发,并且没有正确处理到外部站点的链接。即我的网站托管在 http://123.456.789/index.html 但被屏蔽以运行http://somewebSite.com/index.html。当我在浏览器中输入 http://123.456.789/index.html 时,单击这些相同的链接会导致JS 控制台中没有 X-frame-origins 问题,但运行 http://somewebSite.com/index.html 做到了。为了正确屏蔽,您必须将主机的 DNS 名称服务器添加到域服务中,即 godaddy.com 应该具有名称服务器,例如 ns1.digitalocean.com、ns2.digitalocean.com、ns3.digitalocean.com(如果您是)使用 digitalocean.com 作为您的托管服务。

I came across this issue when running a wordpress web site. I tried all sorts of things to fix it and wasn't sure how, ultimately the issue was because I was using DNS forwarding with masking, and the links to external sites were not being addressed properly. i.e. my site was hosted at http://123.456.789/index.html but was masked to run at http://somewebSite.com/index.html. When i entered http://123.456.789/index.html in the browser clicking on those same links resulted in no X-frame-origins issues in the JS console, but running http://somewebSite.com/index.html did. In order to properly mask you must add your host's DNS name servers to your domain service, i.e. godaddy.com should have name servers of example, ns1.digitalocean.com, ns2.digitalocean.com, ns3.digitalocean.com, if you were using digitalocean.com as your hosting service.

回复 原文
你是年少的欢喜 2024-11-26 19:03:12

令人惊讶的是,这里没有人提到 Apache 服务器的设置(*.conf 文件)或 .htaccess 文件本身是导致此问题的原因错误。搜索 .htaccessApache 配置文件,确保您没有将以下内容设置为 DENY

始终标头设置 X-Frame-Options DENY

将其更改为 SAMEORIGIN,使事情按预期工作:

标头始终设置 X-Frame-Options SAMEORIGIN

It's surprising that no one here has ever mentioned Apache server's settings (*.conf files) or .htaccess file itself as being a cause of this error. Search through your .htaccess or Apache configuration files, making sure that you don't have the following set to DENY:

Header always set X-Frame-Options DENY

Changing it to SAMEORIGIN, makes things work as expected:

Header always set X-Frame-Options SAMEORIGIN

回复 原文
月牙弯弯 2024-11-26 19:03:12

我遇到了这个问题,并通过编辑 httd.conf 解决了它,

<IfModule headers_module>
    <IfVersion >= 2.4.7 >
        Header always setifempty X-Frame-Options GOFORIT
    </IfVersion>
    <IfVersion < 2.4.7 >
        Header always merge X-Frame-Options GOFORIT
    </IfVersion>
</IfModule>

我将 SAMEORIGIN 更改为 GOFORIT
并重新启动服务器

i had this problem, and resolved it editing httd.conf

<IfModule headers_module>
    <IfVersion >= 2.4.7 >
        Header always setifempty X-Frame-Options GOFORIT
    </IfVersion>
    <IfVersion < 2.4.7 >
        Header always merge X-Frame-Options GOFORIT
    </IfVersion>
</IfModule>

i changed SAMEORIGIN to GOFORIT
and restarted server

回复 原文
爱本泡沫多脆弱 2024-11-26 19:03:12

如果要从整个目录中删除 X-Frame-Options,请编辑 .htaccess。

并添加行: 标头始终取消设置 X-Frame-Options

[内容来自: 克服“X-Frame-Options禁止显示”

Edit .htaccess if you want to remove X-Frame-Options from an entire directory.

And add the line: Header always unset X-Frame-Options

[contents from: Overcoming "Display forbidden by X-Frame-Options"

回复 原文
请止步禁区 2024-11-26 19:03:12

使用下面给出的这一行代替 header() 函数。

echo "<script>window.top.location = 'https://apps.facebook.com/yourappnamespace/';</script>";

Use this line given below instead of header() function. 

echo "<script>window.top.location = 'https://apps.facebook.com/yourappnamespace/';</script>";
回复 原文
我们只是彼此的过ke 2024-11-26 19:03:12

试试这个东西,我认为没有人在主题中建议这个,这将解决你问题的 70%,对于其他一些页面,你必须废弃,我有完整的解决方案,但不适合公众,

请在下面添加到你的 iframe

沙箱="允许相同来源允许脚本允许弹出窗口允许表单"

Try this thing, i dont think anyone suggested this in the Topic, this will resolve like 70% of your issue, for some other pages, you have to scrap, i have the full solution but not for public,

ADD below to your iframe

sandbox="allow-same-origin allow-scripts allow-popups allow-forms"

回复 原文
~没有更多了~

关于作者

银河中√捞星星

暂无简介

0 文章
0 评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

隔纱相望

文章 0 评论 0

昵称有卵用

文章 0 评论 0

梨涡

文章 0 评论 0

蓝咒

文章 0 评论 0

白芷

文章 0 评论 0

樱娆

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文