X-Frame-Options: ALLOW-FROM HTTP 和 HTTPS
X-Frame-Options: ALLOW-FROM HTTP and HTTPS
使用 "X-Frame-Options: ALLOW-FROM" 我如何允许一个域但使用 http 和 https 请求?
我有下面的 header,但客户端也在 http://www.example.com 中为站点提供服务器。
X-Frame-Options: ALLOW-FROM https://www.example.com
似乎没有允许在同一个 ALLOW-FROM header 中同时使用 HTTP 和 HTTPS 方案的选项。引用自 the spec.
As the "ALLOW-FROM" field only supports one serialized-origin, in
cases when the server wishes to allow more than one resource to frame
its content, the following design pattern can fulfill that need:
A page that wants to render the requested content in a frame
supplies its own origin information to the server providing the
content to be framed via a query string parameter.
The server verifies that the hostname meets its criteria, so that
the page is allowed to be framed by the target resource. This
may, for example, happen via a lookup of a whitelist of trusted
domain names that are allowed to frame the page. For example,
for a Facebook "Like" button, the server can check to see that
the supplied hostname matches the hostname(s) expected for that
"Like" button.
The server returns the hostname in "X-Frame-Options: ALLOW-FROM"
if the proper criteria was met in step #2.
The browser enforces the "X-Frame-Options: ALLOW-FROM" header.
使用 "X-Frame-Options: ALLOW-FROM" 我如何允许一个域但使用 http 和 https 请求?
我有下面的 header,但客户端也在 http://www.example.com 中为站点提供服务器。
X-Frame-Options: ALLOW-FROM https://www.example.com
似乎没有允许在同一个 ALLOW-FROM header 中同时使用 HTTP 和 HTTPS 方案的选项。引用自 the spec.
As the "ALLOW-FROM" field only supports one serialized-origin, in
cases when the server wishes to allow more than one resource to frame its content, the following design pattern can fulfill that need:
A page that wants to render the requested content in a frame supplies its own origin information to the server providing the content to be framed via a query string parameter.
The server verifies that the hostname meets its criteria, so that the page is allowed to be framed by the target resource. This may, for example, happen via a lookup of a whitelist of trusted domain names that are allowed to frame the page. For example, for a Facebook "Like" button, the server can check to see that the supplied hostname matches the hostname(s) expected for that "Like" button.
The server returns the hostname in "X-Frame-Options: ALLOW-FROM" if the proper criteria was met in step #2.
The browser enforces the "X-Frame-Options: ALLOW-FROM" header.