允许来自特定站点的X-Frame-Options ALLOW-FROM

[英]X-Frame-Options ALLOW-FROM a specific site allows from all


I'm using a rails application to serve a page from abc.com. In it, I set the response headers in my application controller (for every request through before_filter) so that it can be accessed through an iframe only from a specific site (xyz.com), through the following code:

我正在使用rails应用程序来从abc.com提供页面。在其中,我在应用程序控制器中设置响应头(对于通过before_filter的每个请求),以便只能通过iframe从特定站点(xyz.com)访问它,通过以下代码:

def set_x_frame_options
  response.headers["X-Frame-Options"] = "ALLOW-FROM http://www.xyz.com"
end

The problem is, not only am I able to access the page from abc.com on xyz but also on any other website. I want to limit the access to only xyz.com. When I examine the response headers in chrome console I can see the X-Frame-Options is being passed on correctly. This is happening across all browsers. Am I missing something?

问题是,我不仅可以从xyz上的abc.com访问该页面,还可以访问任何其他网站。我想限制只访问xyz.com。当我在chrome控制台中检查响应头时,我可以看到正确传递了X-Frame-Options。所有浏览器都会发生这种情况。我错过了什么吗?

1 个解决方案

#1


1  

For those looking for a definitive answer: it's not implemented in webkit, but does work in Firefox reportedly as of version 18.0. The following ruby syntax works for me in Firefox 20.0 on OSX:

对于那些寻找确定答案的人:它没有在webkit中实现,但据报道在Firefox 18.0版本中可以使用。以下ruby语法适用于OSX上的Firefox 20.0:

response.headers["X-Frame-Options"] = "Allow-From http://www.website.com"

注意!

本站翻译的文章,版权归属于本站,未经许可禁止转摘,转摘请注明本文地址:http://www.itdaan.com/blog/2012/07/16/ab9a6374193856a58b51810b64c91586.html



 
© 2014-2018 ITdaan.com 粤ICP备14056181号