X-Frame-Options ALLOW-FROM 如果不使用 www 则无法正常工作
X-Frame-Options ALLOW-FROM not working if don't use www
Angular7、IIS 7、C#.NET 核心、FireFox
对于我的站点:https://www.example.com, x-frames fail if the user uses https://example.com(注意缺少 www)
我正在构建的 header 是:
Headers.Add("X-frame-options", "ALLOW FROM https://www.example.com,https://example.com");
我已经尝试过多次迭代,但无论我尝试什么,我都无法让它同时适用于两者:
https://www.example.com
https://example.com
Wildcards or lists to declare multiple domains in one ALLOW-FROM
statement are not permitted
- A page that wants to render the requested content in a frame
supplies its own origin information to the server providing the
content to be framed via a query string parameter.
例如在 URL.
上使用查询字符串
The server verifies that the hostname meets its criteria, so that
the page is allowed to be framed by the target resource. This
may, for example, happen via a lookup of a whitelist of trusted
domain names that are allowed to frame the page. For example,
for a Facebook "Like" button, the server can check to see that
the supplied hostname matches the hostname(s) expected for that
"Like" button.
The server returns the hostname in "X-Frame-Options: ALLOW-FROM"
if the proper criteria was met in step #2.
The browser enforces the "X-Frame-Options: ALLOW-FROM" header.
请注意,X-Frame-Options 已被 内容安全策略 (CSP) 取代
其中 frame ancestors directive 确实 允许您提供列表。
也就是说,在 www.example.com 和 example.com 上托管同一个网站并没有多大意义。选择其中之一作为规范并发出从另一个到它的 301 重定向。
那么你只需要允许 X-Frame-Options.
中的规范
Angular7、IIS 7、C#.NET 核心、FireFox
对于我的站点:https://www.example.com, x-frames fail if the user uses https://example.com(注意缺少 www)
我正在构建的 header 是: Headers.Add("X-frame-options", "ALLOW FROM https://www.example.com,https://example.com");
我已经尝试过多次迭代,但无论我尝试什么,我都无法让它同时适用于两者: https://www.example.com https://example.com
Wildcards or lists to declare multiple domains in one ALLOW-FROM statement are not permitted
- A page that wants to render the requested content in a frame supplies its own origin information to the server providing the content to be framed via a query string parameter.
例如在 URL.
上使用查询字符串
The server verifies that the hostname meets its criteria, so that the page is allowed to be framed by the target resource. This may, for example, happen via a lookup of a whitelist of trusted domain names that are allowed to frame the page. For example, for a Facebook "Like" button, the server can check to see that the supplied hostname matches the hostname(s) expected for that "Like" button.
The server returns the hostname in "X-Frame-Options: ALLOW-FROM" if the proper criteria was met in step #2.
The browser enforces the "X-Frame-Options: ALLOW-FROM" header.
请注意,X-Frame-Options 已被 内容安全策略 (CSP) 取代
其中 frame ancestors directive 确实 允许您提供列表。
也就是说,在 www.example.com 和 example.com 上托管同一个网站并没有多大意义。选择其中之一作为规范并发出从另一个到它的 301 重定向。
那么你只需要允许 X-Frame-Options.