background
When access content platform, content platform uses iframe to embed ugc post details page, so that users can preview post for more information. But the post details page does not support iframe embedded, result in the following error: ". Star.aliexpress.com refused our requests to connect" as follows:
the reason
This is because the post details page does not support the iframe embed, this is mainly because spring boot by default For safety, keep the default web page embedded support to help users against clickjacking.
Solution
X-Frame-Options There are three values:
DENY
indicates that the page is not allowed to show in the frame, the nest is not allowed even in the pages of the same domain name.
SAMEORIGIN
indicates that the page can show the same domain name in the frame of the page.
ALLOW-FROM uri
indicates that the page can be displayed in a frame in the specified source.
spring boot support EnableWebSecurity this anotation incomplete set of security policies. details as follows:
import com.alibaba.spring.websecurity.DefaultWebSecurityConfigurer;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.header.writers.frameoptions.WhiteListedAllowFromStrategy;
import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter;
import java.util.Arrays;
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends DefaultWebSecurityConfigurer {
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
//disable 默认策略。 这一句不能省。
http.headers().frameOptions().disable();
//新增新的策略。
http.headers().addHeaderWriter(new XFrameOptionsHeaderWriter(
new WhiteListedAllowFromStrategy(
Arrays.asList("http://itaobops.aliexpress.com", "https://cpp.alibaba-inc.com",
"https://pre-cpp.alibaba-inc.com"))));
}
}
The above is supported ALLOW-FROM uri is set up.
Other settings is relatively simple. The following settings are supported SAMEORIGIN way:
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends DefaultWebSecurityConfigurer {
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.headers().frameOptions().sameOrigin();
}
}
The following are supported fully liberalized ways:
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends DefaultWebSecurityConfigurer {
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.headers().frameOptions().disable();
}
}
1 person thumbs up
Author: YDDMAX_Y
link: https: //www.jianshu.com/p/9ec724f4e3ae
Source: Jane books
are copyrighted by the author. Commercial reprint please contact the author authorized, non-commercial reprint please indicate the source.
