Nginx设置iframe页面跨域限制1. nginx设置iframe页面跨域限制可以使用务器端设置 X-Frame

[TOC]

1. nginx设置iframe页面跨域限制

可以使用 web 服务器配置来解决这个问题，在服务器端设置 X-Frame-Options 标头，以指示浏览器是否允许该页面在 iframe 中加载。还可以考虑使用 CORS（跨域资源共享）来解决跨域问题如2 .

X-Frame-Options: SAMEORIGIN

X-Frame-Options http响应头是用来给浏览器指示允许一个页面可否在<frame>, <iframe>, <embed> 或者 <object> 中展现的标记, 可以通过确保网站没有被嵌入到别人的站点里，避免 clickjacking 攻击。

X-Frame-Options 语法:

# 该页面不允许在frame中展示，同域名页面中嵌套也不被允许
X-Frame-Options: deny
# 该页面可以在相同域名的页面的frame中展示
X-Frame-Options: sameorigin
# 该页面可以在指定来源的frame中展示
X-Frame-Options: allow-from https://example.com/


#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;
		
        
		#add_header X-Frame-Options SAMEORIGIN;
		# 允许多个域名iframe嵌套，用逗号分隔
		# 使用frame-ancestors，多个域名使用空格分隔
		#add_header X-Frame-Options "ALLOW-FROM http://127.0.0.1:8081/,http://127.0.0.1:8082/";
        

        #access_log  logs/host.access.log  main;

        location / {
            root   html;
            index  index.html index.htm;
			
            
			# 允许请求地址跨域 * 做为通配符
            add_header 'Access-Control-Allow-Origin' '*' always;
			# 允许跨域的请求方法
            add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
			# 允许自定义的 'X-Custom-Header' 头部
			add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
			
			# 或者如下配置 设置基本的 CORS 处理器
			if ($request_method = 'OPTIONS') {
				# add_header 'Access-Control-Allow-Origin' '*';
				# add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
				# add_header 'Access-Control-Allow-Headers' 'X-Requested-With,Content-Type,Authorization';
				# add_header 'Access-Control-Allow-Credentials' 'true';
				# add_header 'Access-Control-Max-Age' 1728000;
				# add_header 'Content-Type' 'text/plain charset=UTF-8';
				# add_header 'Content-Length' 0;
				return 204;
			}
            
            
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}


    # HTTPS server
    #
    #server {
    #    listen       443 ssl;
    #    server_name  localhost;

    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}

2. 设置 Nginx 解决跨域问题

可以使用 Nginx 的 add_header 指令设置相应的响应头来允许跨域请求,如下例子；


#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   html;
            index  index.html index.htm;

			# 允许请求地址跨域 * 做为通配符
            add_header 'Access-Control-Allow-Origin' '*';
			# 允许跨域的请求方法
            add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
			# 允许自定义的 'X-Custom-Header' 头部
			add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
			
			# 或者如下配置 设置基本的 CORS 处理器
			if ($request_method = 'OPTIONS') {
				# add_header 'Access-Control-Allow-Origin' '*';
                # 配置基本的 CORS 处理器，允许指定域名跨域请求
                # add_header 'Access-Control-Allow-Origin' 'http://example.com';
				# add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
				# add_header 'Access-Control-Allow-Headers' 'X-Requested-With,Content-Type,Authorization';
				# add_header 'Access-Control-Max-Age' 1728000;
				# add_header 'Content-Type' 'text/plain charset=UTF-8';
				# add_header 'Content-Length' 0;
				return 204;
			}
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}


    # HTTPS server
    #
    #server {
    #    listen       443 ssl;
    #    server_name  localhost;

    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}

}