[翻译]  X-Frame-Options ALLOW-FROM a specific site allows from all

[CHINESE]  允许来自特定站点的X-Frame-Options ALLOW-FROM


I'm using a rails application to serve a page from abc.com. In it, I set the response headers in my application controller (for every request through before_filter) so that it can be accessed through an iframe only from a specific site (xyz.com), through the following code:

我正在使用rails应用程序来从abc.com提供页面。在其中,我在应用程序控制器中设置响应头(对于通过before_filter的每个请求),以便只能通过iframe从特定站点(xyz.com)访问它,通过以下代码:

def set_x_frame_options
  response.headers["X-Frame-Options"] = "ALLOW-FROM http://www.xyz.com"
end

The problem is, not only am I able to access the page from abc.com on xyz but also on any other website. I want to limit the access to only xyz.com. When I examine the response headers in chrome console I can see the X-Frame-Options is being passed on correctly. This is happening across all browsers. Am I missing something?

问题是,我不仅可以从xyz上的abc.com访问该页面,还可以访问任何其他网站。我想限制只访问xyz.com。当我在chrome控制台中检查响应头时,我可以看到正确传递了X-Frame-Options。所有浏览器都会发生这种情况。我错过了什么吗?

1 个解决方案

#1


1  

For those looking for a definitive answer: it's not implemented in webkit, but does work in Firefox reportedly as of version 18.0. The following ruby syntax works for me in Firefox 20.0 on OSX:

对于那些寻找确定答案的人:它没有在webkit中实现,但据报道在Firefox 18.0版本中可以使用。以下ruby语法适用于OSX上的Firefox 20.0:

response.headers["X-Frame-Options"] = "Allow-From http://www.website.com"

注意!

本站转载的文章为个人学习借鉴使用,本站对版权不负任何法律责任。如果侵犯了您的隐私权益,请联系我们删除。



 
© 2014-2018 ITdaan.com 粤ICP备14056181号