发表新帖
发表新帖

Overcoming “Display forbidden by X-Frame-Options”

后端 未结
关注
26 2208
梦谈多话
梦谈多话 2020-11-21 06:31

I\'m writing a tiny webpage whose purpose is to frame a few other pages, simply to consolidate them into a single browser window for ease of viewing. A few of the pages I\'

相关标签:
26条回答
  • 我寻月下人不归
    2020-11-21 07:13

    Edit .htaccess if you want to remove X-Frame-Options from an entire directory.

    And add the line: Header always unset X-Frame-Options

    [contents from: Overcoming "Display forbidden by X-Frame-Options"

    0 讨论(0)
  • 余生分开走
    2020-11-21 07:15

    UPDATE 2019: You can bypass X-Frame-Options in an <iframe> using just client-side JavaScript and my X-Frame-Bypass Web Component. Here is a demo: Hacker News in an X-Frame-Bypass. (Tested in Chrome & Firefox.)

    0 讨论(0)
  • Happy的楠姐
    2020-11-21 07:15

    Solution for loading an external website into an iFrame even tough the x-frame option is set to deny on the external website.

    If you want to load a other website into an iFrame and you get the Display forbidden by X-Frame-Options” error then you can actually overcome this by creating a server side proxy script.

    The src attribute of the iFrame could have an url looking like this: /proxy.php?url=https://www.example.com/page&key=somekey

    Then proxy.php would look something like:

    if (isValidRequest()) {
   echo file_get_contents($_GET['url']);
}

function isValidRequest() {
    return $_SERVER['REQUEST_METHOD'] === 'GET' && isset($_GET['key']) && 
    $_GET['key'] === 'somekey';
}

    This by passes the block, because it is just a GET request that might as wel have been a ordinary browser page visit.

    Be aware: You might want to improve the security in this script. Because hackers could start loading in webpages via your proxy script.

    0 讨论(0)
  • 野趣味
    2020-11-21 07:18

    FWIW:

    We had a situation where we needed to kill our iFrame when this "breaker" code showed up. So, I used the PHP function get_headers($url); to check out the remote URL before showing it in an iFrame. For better performance, I cached the results to a file so I was not making a HTTP connection each time.

    0 讨论(0)
  • 离开以前
    2020-11-21 07:19

    It appears that X-Frame-Options Allow-From https://... is depreciated and was replaced (and gets ignored) if you use Content-Security-Policy header instead.

    Here is the full reference: https://content-security-policy.com/

    0 讨论(0)
  • 梦谈多话
    2020-11-21 07:19

    The only real answer, if you don't control the headers on your source you want in your iframe, is to proxy it. Have a server act as a client, receive the source, strip the problematic headers, add CORS if needed, and then ping your own server.

    There is one other answer explaining how to write such a proxy. It isn't difficult, but I was sure someone had to have done this before. It was just difficult to find it, for some reason.

    I finally did find some sources:

    https://github.com/Rob--W/cors-anywhere/#documentation

    ^ preferred. If you need rare usage, I think you can just use his heroku app. Otherwise, it's code to run it yourself on your own server. Note sure what the limits are.

    whateverorigin.org

    ^ second choice, but quite old. supposedly newer choice in python: https://github.com/Eiledon/alloworigin

    then there's the third choice:

    http://anyorigin.com/

    Which seems to allow a little free usage, but will put you on a public shame list if you don't pay and use some unspecified amount, which you can only be removed from if you pay the fee...

    0 讨论(0)
 看不清?
提交回复
热议问题