HTTP中的X-Frame-Options响应头

本文作者: jsweibo

本文链接: https://jsweibo.github.io/2020/02/24/HTTP%E4%B8%AD%E7%9A%84X-Frame-Options%E5%93%8D%E5%BA%94%E5%A4%B4/

摘要

本文主要讲述了：

作用
取值范围

正文

作用

表示是否允许网页在<iframe>等元素中渲染

注意：无法通过<meta>设置X-Frame-Options

取值范围

deny
sameorigin

deny

禁止网页在<iframe>中渲染

示例：

nginx.conf

server {
    listen 80;
    server_name a.foo.com;

    location / {
        root html/a.foo.com;
        index  index.html index.htm;
        add_header X-Frame-Options deny;
    }
}

a.foo.com/index.html

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>Document</title>
  </head>
  <body>
    <h1>index</h1>
    <iframe src="./back.html"></iframe>
  </body>
</html>

a.foo.com/back.html

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>Document</title>
  </head>
  <body>
    <h1>back</h1>
  </body>
</html>

sameorigin

仅允许网页在同源网站的<iframe>中渲染

示例：

nginx.conf

server {
    listen 80;
    server_name a.foo.com;

    location / {
        root html/a.foo.com;
        index  index.html index.htm;
        add_header X-Frame-Options sameorigin;
    }
}

a.foo.com/index.html

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>Document</title>
  </head>
  <body>
    <h1>index</h1>
    <iframe src="./back.html"></iframe>
  </body>
</html>

a.foo.com/back.html

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>Document</title>
  </head>
  <body>
    <h1>back</h1>
  </body>
</html>