最近刚做完一个项目,本以为完工就万事大吉,但客户方要求安全扫描报告,结果直接出来了个问题
通过查询nginx文档,使用add_header X-Frame-Options "ALLOW-FROM abc.com",但一直报错,后面发现chrome会出现这种错误,解决方法如下:
map $http_origin $corsHost {
default 0;
"~https://waibu.com" https://waibu.com; //外部架子的域名 "~https://neibu.com" https://neibu.com; //内部iframe嵌入的页面域名}
sever{
...
location ~* \.(eot|ttf|woff|svg|otf)$ {
set $flag '';
if ( $http_origin ~* ^(http?:\/\/.*\.com$) ){
set $flag '';
}
if ($flag = '') {
add_header 'Access-Control-Allow-Origin' $http_origin;
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET,POST';
}
}
或者通过另一种方式:
add_header Content-Security-Policy "frame-src https://abc.com";
其他方式apache:
Header always append X-Frame-Options SAMEORIGIN
PHP:
Header always append X-Frame-Options SAMEORIGIN
