问题
I have developed a search form which is hosted in a local server (iis, net core web site) in my company. The web site is a Wordpress hosted in another server (apache, wamp), also in the company. Both has different public IPs, but both are hosted under subdomains of the same domain.
say, wordpress.company.com and search.company.com, and I have control over both.
first time I tested using iframe plugin, everything seem to work ok, however I realized now, there is this error shown in Edge. Same behavior is shown on all browsers yet no similar messages are shown.
This content can’t be shown in a frame
There is supposed to be some content here, but the publisher doesn’t allow it to be displayed in a frame. This is to help protect the security of any information you might enter into this site.
Try this
Open this in a new window (which is a link to iframes content url)
The weird thing is I just have to press F5 and everything loads correctly.
The error in the Chrome console is:
Refused to display 'http://subdomain.mysite.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
How can I workaround this behavior?
回答1:
The problem is similar to one described here but because of .net Core. And the solution is also similar.
You can also use the recommendations done by @user770 in the comments of the question. However, that does not solve the iframe block. And neither this answer explains why refreshing the page solved the issue. However, that is not a good experience for users.
So, the solution is easy, and can be done by code, that way oyu are more secure if any one tries to overwrite the X-Frame-Otions settign in your server. Any multiple setting will derive in 'deny'.
In the startup.cs file on your project you have to add this, for preventing .net core to add 'sameorigin' setting automatically.
public void ConfigureServices(IServiceCollection services)
{
//YOU CAN HAVE SOME CODE HERE
services.AddAntiforgery(o => o.SuppressXFrameOptionsHeader = true);
}
However, this may lead to risk in your site, and this scenario is intended to be applied when you have control on both sites and both domains.
To secure the site, you have to set X-frame-options setting to allow the domain you want. Again in startup.cs do the following.
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
//YOU MAY HAVE SOME CODE HERE
app.Use(async (context, next) =>
{
context.Response.Headers.Add("X-Frame-Options", "ALLOW-FROM http://*.MYCONTROLLEDDOMAIN.COM https://*.MYCONTROLLEDDOMAIN.COM");
await next();
});
}
That way you will allow your domain to request this website within an iframe.
来源:https://stackoverflow.com/questions/50271878/this-content-cannot-be-viewed-in-a-frame-error-the-first-time-i-load-the-page