如何解决如何从某些域发出iframe阻止请求?
是否存在iframe的属性,该属性会使它阻止对某些域的请求?类似于以下内容:
void showNavigationToolbar() {
final Container layer = getLayeredPane(MapForm.class,true);
final Container pinLayer = createPinLayer(layer);
Button back = new Button("","TitleCommand");
FontImage.setMaterialIcon(back,FontImage.MATERIAL_ARROW_BACK);
CompletionContainer cc = new CompletionContainer();
AutoCompleteAddressInput from = new AutoCompleteAddressInput("Current Location","From",layer,cc);
AutoCompleteAddressInput to = new AutoCompleteAddressInput("","Where To?",cc);
from.setCurrentLocation(LocationService.getCurrentLocation());
Image circle = createCircle();
Label fromSelected = new Label(circle);
Label toSelected = new Label(square);
SearchService.nameMyCurrentLocation(LocationService.getCurrentLocation(),name -> from.setTextNoEvent(name));
to.requestFocus();
lastFocused = to;
from.addFocusListener(createFromFocusListener(fromSelected,from,circle));
to.addFocusListener(createToFocusListener(fromSelected,circle,toSelected,to));
addMapListener((source,zoom,center) -> onMapChangeEvent(center));
Container navigationToolbar = BoxLayout.encloseY(back,BorderLayout.centerCenterEastWest(from,null,fromSelected),BorderLayout.centerCenterEastWest(to,toSelected)
);
navigationToolbar.setUIID("WhereToToolbar");
navigationToolbar.getUnselectedStyle().setBgPainter((g1,rect) ->
paintWhereToToolbarBackground(g1,rect,fromSelected,toSelected)
);
cc.addCompletionListener(e ->
onCompletionEvent(to,pinLayer,navigationToolbar,layer));
back.addActionListener(e ->
onBackFromNavigation(pinLayer,layer));
layer.add(NORTH,navigationToolbar);
navigationToolbar.setWidth(getDisplayWidth());
navigationToolbar.setHeight(getPreferredH());
navigationToolbar.setY(-navigationToolbar.getHeight());
getAnimationManager().addAnimation(layer.createAnimateLayout(200),() -> cc.showCompletionBar(layer));
}
private FocusListener createToFocusListener(final Label fromSelected,Image circle,final Label toSelected,AutoCompleteAddressInput to) {
return new FocusListener() {
@Override
public void focusGained(Component cmp) {
fromSelected.setIcon(circle);
toSelected.setIcon(square);
lastFocused = to;
}
@Override
public void focusLost(Component cmp) {
toSelected.setIcon(circle);
}
};
}
private FocusListener createFromFocusListener(final Label fromSelected,AutoCompleteAddressInput from,Image circle) {
return new FocusListener() {
@Override
public void focusGained(Component cmp) {
fromSelected.setIcon(square);
lastFocused = from;
}
@Override
public void focusLost(Component cmp) {
fromSelected.setIcon(circle);
}
};
}
因此,如果<iframe src="www.example.com" block-domains="google.com"></iframe>
是我要寻找的神奇属性,那就是告诉iframe阻止对block-domains
的所有请求。
解决方法
我认为,最接近此设置的方法是在HEADER声明中设置X-Frame-options。文档here指出您可以提供以下2个选项中的任何一个(第3个已过时):
- DENY:不管试图嵌入的页面是什么,iframe都不会显示
- SAMEORIGIN:仅当由与页面本身具有相同起源的站点调用iframe时,才会显示iframe(通过检查框架祖先)
另一种解决方法是将frame-ancestors用作内容安全策略标头的一部分,这将使您可以指定可嵌入iframe的网站。
,据我所知,除非您有权设置要加载的域的响应头,否则这是不可能的。
如果您具有访问权限,则可以将Content-Security-Policy响应标头设置为frame-src
。它限制了页面可以在iframe中加载的域。
例如:如果https://example.com
上的网站的响应标头为
Content-Security-Policy: frame-src 'self' *.trusted.com
。那么就只能向iframe中的example.com
和*.trusted.com
域发出请求。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。