This is because the configuration of the X-Frame-Options response header .
What is the X-Frame-Options response header?
Create a safe strategy, in order to prevent " Clickjacking Attacks [clickjacking attack] ," Here we see what is this clickjacking
Clickjacking defined
Open a Web page, flash ads appear a box, you click "Close" button to close the ad is not the result, but it becomes a full-screen, such a situation is called clickjacking in the field of computer security, which means you are a mouse click behavior to control the people.
Clickjacking feature
Click hijacking is a malicious attack techniques used to track network users, access their private information or by asking the user to seemingly normal web to remotely control their computer. Many browsers and operating platforms have such vulnerabilities.
Clickjacking role
You can use the embed code or text form, complete attack without the user's knowledge, such as clicking on a surface of the display is the "play" button on a video, but in fact the operation is completed the user's personal social networking site information to "open" state.
Actually, the problem is Http response headers if there is to set X-Frame-Options, I think SharePoint inside should be the limit, and cause we can not access, and position IIS site, but do not show it, and then try to add IIS site the Http response headers, can be found to solve the problem.
1, configure Apache:
(If it is in the local dialect, which is in the httpd.conf configuration; if it is linux (ubuntu words) is in apache2.conf inside), find an empty location add this line of code, specifically to see what you choose
<span style="font-size:14px;">Header always append X-Frame-Options SAMEORIGIN</span> You may encounter a situation that after I finished configuring the server apache, but try to Restart Apache reported an error:
Invalid command ‘Header’, perhaps misspelled or defined by a module not included in the server configurationheader method module is not installed, we need to install it yourself:
To enter a2enmod heade, then need to restart the Apache, enter service apache2 restart
2, configure Nginx:
Configuring nginx transmission X-Frame-Options header in response, to add the following line to the 'http', 'server' or 'location' configuration:
<span style="font-size:14px;">add_header X-Frame-Options SAMEORIGIN;</span>3, configure IIS:
Open IIS, click the HTTP response headers;
- X-Frame-Options header includes three values:
· DENY
· SAMEORIGIN
· ALLOW-FROM origin
简单介绍,**DENY**就是所有的Iframe都禁止,**SAMEORIGIN**是本服务器允许Iframe,**ALLOW-FROM**是定向允许,**后面接域名**。Or configure IIS transmitted X-Frame-Options response header, add the following to the Web.config configuration file:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
</system.webServer>4, in the embodiment the server is provided as follows:
Java代码:
response.addHeader("x-frame-options","SAMEORIGIN");