英文:
X-Frame Options Spring Boot
问题
HTML部分:
<div class="gridItem8">
<iframe src="https://www.youtube.com/watch?v=HV2LVEPrKGs&feature=emb_title" title="Halo Video"></iframe>
</div>
安全配置部分:
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers().authenticated()
.antMatchers( "/", "/about", "/signup", "/signUpForm",
"/signUpFormError", "/login", "/logOut", "/ForgotPasswordPage", "/Forgot_Password",
"/SignUp", "/registrationComplete").permitAll()
.antMatchers("/LoggedInUser/**").hasAnyAuthority("ADMIN", "USER", "MODERATOR")
.anyRequest().authenticated().and().csrf().disable().formLogin()
.loginPage("/login").failureUrl("/login?error=true")
.defaultSuccessUrl("/LoggedInUser/success")
.usernameParameter("email")
.passwordParameter("password")
.and().logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logOut"))
.logoutSuccessUrl("/")
.and()
.headers()
.frameOptions()
.disable()
.addHeaderWriter(new StaticHeadersWriter("X-FRAME-OPTIONS",
"ALLOW-FROM https://www.youtube.com/watch?v=HV2LVEPrKGs&feature=emb_title"));
}
希望这能帮助到您!
英文:
So I'm trying to use configure an iframe on my Spring Boot application. However I'm struggling in getting the X-Frame-Options to ALLOW-From. Here's what I have for my html and spring security file.
HTML IFrame:
<div class="gridItem8">
<iframe src="https://www.youtube.com/watch?v=HV2LVEPrKGs&feature=emb_title" title="Halo Video"></iframe>
</div>
Security Config:
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers().authenticated()
.antMatchers( "/", "/about", "/signup", "/signUpForm",
"/signUpFormError", "/login", "/logOut", "/ForgotPasswordPage", "/Forgot_Password",
"/SignUp", "/registrationComplete").permitAll()
.antMatchers("/LoggedInUser/**").hasAnyAuthority("ADMIN", "USER", "MODERATOR")
.anyRequest().authenticated().and().csrf().disable().formLogin()
.loginPage("/login").failureUrl("/login?error=true")
.defaultSuccessUrl("/LoggedInUser/success")
.usernameParameter("email")
.passwordParameter("password")
.and().logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logOut"))
.logoutSuccessUrl("/")
.and()
.headers()
.frameOptions()
.disable()
.addHeaderWriter(new StaticHeadersWriter("X-FRAME-OPTIONS",
"ALLOW-FROM https://www.youtube.com/watch?v=HV2LVEPrKGs&feature=emb_title"));
Any help would be much appreciated. Thanks!
答案1
得分: 1
X-Frame-Options是一个由所请求资源的服务器设置的HTTP响应头。它用于指示浏览器是否允许在<frame>中呈现页面,以避免点击劫持攻击,确保内容不会嵌入到其他站点中。
请参阅MDN文档:X-Frame-Options。
因此,如果youtube.com上的资源将X-Frame-Options设置为DENY,那么该资源将不被允许在<frame>中呈现。如果设置为SAMEORIGIN,该资源只能在与页面本身相同域的<frame>中呈现。ALLOW-FROM uri是一个已过时的指令,在现代浏览器中不再起作用。
如果您想在您的网站中嵌入YouTube视频,只需使用共享功能,并将HTML代码复制到您的网站中,它应该可以工作,这里有一个示例。
英文:
X-Frame-Options is an HTTP response header which is set by the server from which you are requesting the resource. It is used to indicate whether or not the browser should be allowed to render a page in an <frame> to avoid click-jacking attacks by ensuring that the content is not embedded into other sites.
Please see the MDN docs about it: X-Frame-Options.
So if a resource on youtube.com sets X-Frame-Options to DENY, then that resource is not allowed to render in an <frame>. If it is SAMEORIGIN, the resource can only be rendered in an <frame> on the same domain as the page itself. ALLOW-FROM uri is an obsolete directive that no longer works in modern browsers.
If you want to embed a youtube video in your site, just use the share feature and copy the HTML code into your site, it should work, here's an example.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论