Spring Security:Refused to display 'http://**' in a frame because it set 'X-Frame-Options' to 'deny'
2018-02-01 14:10
495 查看
在整合Spring Security时,页面的iframe出现这个错误:
Refused to display 'http://**' in a frame because it set 'X-Frame-Options' to 'deny'
解决:
在继承WebSecurityConfigurerAdapter的子类的覆盖方法configure(HttpSecurity)里面添加:
http.headers().frameOptions().sameOrigin()
frameOptions()会返回一个HeadersConfigurer对象,看它的类注释:
* <p>
* Adds the Security HTTP headers to the response. Security HTTP headers is activated by
* default when using {@link WebSecurityConfigurerAdapter}'s default constructor.
* </p>
*
* <p>
* The default headers include are:
* </p>
*
* <pre>
* Cache-Control: no-cache, no-store, max-age=0, must-revalidate
* Pragma: no-cache
* Expires: 0
* X-Content-Type-Options: nosniff
* Strict-Transport-Security: max-age=31536000 ; includeSubDomains
* X-Frame-Options: DENY
* X-XSS-Protection: 1; mode=block
* </pre>
从中可以得知默认的iframe加载是DENY,导致了页面上出现错误。
sameOrigin()的注释是这样子的:
/**
* <p>
* Specify to allow any request that comes from the same origin to frame this
* application. For example, if the application was hosted on example.com, then
* example.com could frame the application, but evil.com could not frame the
* application.
* </p>
*
* @return
*/
从注释中我们知道sameOrigin()方法表示允许同源请求加载iframe。
也可以添加以下内容来实现:
http.headers().frameOptions().disable()
注释:
/**
* Prevents the header from being added to the response.
*
* @return the {@link HeadersConfigurer} for additional configuration.
*/
这样就相当于把默认要添加到响应头信息中的内容全阻止、禁用掉了。
Refused to display 'http://**' in a frame because it set 'X-Frame-Options' to 'deny'
解决:
在继承WebSecurityConfigurerAdapter的子类的覆盖方法configure(HttpSecurity)里面添加:
http.headers().frameOptions().sameOrigin()
frameOptions()会返回一个HeadersConfigurer对象,看它的类注释:
* <p>
* Adds the Security HTTP headers to the response. Security HTTP headers is activated by
* default when using {@link WebSecurityConfigurerAdapter}'s default constructor.
* </p>
*
* <p>
* The default headers include are:
* </p>
*
* <pre>
* Cache-Control: no-cache, no-store, max-age=0, must-revalidate
* Pragma: no-cache
* Expires: 0
* X-Content-Type-Options: nosniff
* Strict-Transport-Security: max-age=31536000 ; includeSubDomains
* X-Frame-Options: DENY
* X-XSS-Protection: 1; mode=block
* </pre>
从中可以得知默认的iframe加载是DENY,导致了页面上出现错误。
sameOrigin()的注释是这样子的:
/**
* <p>
* Specify to allow any request that comes from the same origin to frame this
* application. For example, if the application was hosted on example.com, then
* example.com could frame the application, but evil.com could not frame the
* application.
* </p>
*
* @return
*/
从注释中我们知道sameOrigin()方法表示允许同源请求加载iframe。
也可以添加以下内容来实现:
http.headers().frameOptions().disable()
注释:
/**
* Prevents the header from being added to the response.
*
* @return the {@link HeadersConfigurer} for additional configuration.
*/
这样就相当于把默认要添加到响应头信息中的内容全阻止、禁用掉了。
相关文章推荐
- 浏览器IFrame出Refused to display 'URL' in a frame because it set 'X-Frame-Options' to 'DENY' 的错
- Refused to display in a frame because it set 'X-Frame-Options' to 'DENY'的解决办法
- Refused to display in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'
- 浏览器IFrame出Refused to display 'URL' in a frame because it set 'X-Frame-Options' to 'DENY' 的错
- BUG: in a frame because it set 'X-Frame-Options' to 'deny'
- in a frame because it set 'X-Frame-Options' to 'DENY'.
- Rails 使用iframe报错:IFRAME: Refused to display document because display forbidden by X-Frame-Options
- Chrome插件在页面上直接绑定JavaScript事件提示Refused to execute inline event handler because it violates the following Co
- Cordova页面解析页面中script标签内容失败,Refused to execute inline script because it violates the following
- Cordova页面解析页面中script 内容失败,Refused to execute inline script because it violates the following
- VC++ Unable to register this add-in because its DllRegisterServer returns an error 解决方案
- Qt creator needs a compiler set up to build. Configure a compiler in the kit options
- Win7下vc++6.0打开项目Microsoft(R) Developer Studio以及Unable to register this add-in because its DLLRegist
- cannot be resolved to absolute file path because it does not reside in the file system : jar:file:/D
- C++ 在window8下使用第三方插件出现 Unable to register this add-in because its DllRegisterServer returns an error
- spring boot 异常Refused to display in a frame because it set 'X-Frame-Options' to 'DENY'
- The service cannot be activated because it does not support ASP.NET compatibility. ASP.NET compatibility is enabled for this application. Turn off ASP.NET compatibility mode in the web.config or add the AspNetCompatibilityRequirements attribute to the ser
- Units Problem: How to read text size as custom attr from xml and set it to TextView in java code
- need to set default value for Webservice's if it's used as datasource displayed in Moss
- VC++ Unable to register this add-in because its DllRegisterServer returns an error 解决方案(转载)