https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>
or <iframe>
. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
Using X-Frame-Options
There are three possible values for X-Frame-Options:
DENY
SAMEORIGIN
ALLOW-FROM uri
In other words, if you specify DENY
, not only will attempts to load the page in a frame fail when loaded from other sites, attempts to do so will fail when loaded from the same site. On the other hand, if you specify SAMEORIGIN
, you can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.
Configuring Apache
To configure Apache to send the X-Frame-Options header for all pages, add this to your site's configuration:
Header always append X-Frame-Options SAMEORIGIN
Configuring nginx
To configure nginx to send the X-Frame-Options header, add this either to your http, server or location configuration:
add_header X-Frame-Options
SAMEORIGIN;
Results
When an attempt is made to load content into a frame, and permission is denied by the X-Frame-Options header, Firefox currently renders about:blank into the frame. At some point, an error message of some kind will be displayed in the frame instead.
Browser compatibility
Feature | Chrome | Firefox (Gecko) | Internet Explorer | Opera |
Safari |
Basic support | 4.1.249.1042 | 3.6.9 (1.9.2.9) | 8.0 | 10.5 | 4.0 |
ALLOW-FROM support | Not supported | 18.0 (18.0) bug 690168 | 8.0 | Not supported | WebKit bug 94836 |
相关推荐
- **Tomcat**:对于基于Tomcat的Java应用,可以创建一个过滤器,添加`response.addHeader("x-frame-options","SAMEORIGIN");`以确保所有响应都包含这个头。 - **HAProxy**:在HAProxy的配置文件中,根据版本不同,...
Response.AddHeader("X-Frame-Options", "Deny"); ``` - ASP: ``` <%response.AddHeader "X-Frame-Options","Deny"%> ``` **服务器配置** 在Web服务器层面,也可以全局设置X-Frame-Options。例如,在IIS中,...
语言:中文 (简体) ...The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a or . Using this plugin to remove it!
- **Java Servlets**:`response.addHeader("x-frame-options", "DENY");` #### 跨站脚本(Cross-Site Scripting, XSS) 跨站脚本攻击是指攻击者利用目标网站的漏洞,在页面中插入恶意脚本,当其他用户浏览这些...
Q373762 - Ribbon Form - Restoring down a minimized application incorrectly resizes the Windows Aero Glass frame after the Ribbon form was programmatically hidden when minimizing the application ...
Q373762 - Ribbon Form - Restoring down a minimized application incorrectly resizes the Windows Aero Glass frame after the Ribbon form was programmatically hidden when minimizing the application ...
3. **设置Header**:对于某些浏览器,可能可以通过修改Response Header中的`X-Frame-Options`或`Content-Security-Policy`来防止资源被嵌入到其他网站的框架中。 4. **图片防盗链**:对于图片资源,可以创建一个ASP...
Response.ContentType = "application/x-javascript"; Response.Write(String.Format(@"{0}('{1}');", f, DateTime.Now)); Response.End(); } ``` #### 二、通过`<img>`或`<script>`标签加载数据 利用`<img>`和...
The following are all the settings which are different in either the production ; or development versions of the INIs with respect to PHP's default behavior. ; Please see the actual settings later in...
The Future for Python 2.x Changes to the Handling of Deprecation Warnings Python 3.1 Features PEP 372: Adding an Ordered Dictionary to collections PEP 378: Format Specifier for Thousands Separator...