问题
I need to use couple of iframe for a page hosted with firebase, but its giving me X-Frame-Options error, one of the iframe is for gallery hosted on picasa, and anohter ifrmae for contact form(because i couldnt sent email via firebase :()
here is error
Refused to display 'https://get.google.com/albumarchive/pwa/11111/album/1111?source=pwa#slideshow/1111' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
jquery.min.js:2 Uncaught DOMException: Failed to read the 'contentDocument' property from 'HTMLIFrameElement': Blocked a frame with origin "https://demodomain.com" from accessing a cross-origin frame.
i did this with firebase.json but didnt worked
"headers": [
{
"source": "**/*",
"headers": [
{"key": "X-Content-Type-Options", "value": "nosniff"},
{"key": "X-Frame-Options", "value": "ALLOW"},
{"key": "X-UA-Compatible", "value": "ie=edge"},
{"key": "X-XSS-Protection", "value": "1; mode=block"}
]
}
]
回答1:
you have the right idea you're just setting the wrong value. ALLOW is not an acceptable value for the X-Frame-Options header. You can set the ALLOW-FROM value and then specify which uri you want to allow to be able to embed. Check out some more documentation below.
FIX:
"headers": [{
"source": "**/*",
"headers": [
{"key": "X-Content-Type-Options", "value": "nosniff"},
{"key": "X-Frame-Options", "value": "ALLOW-FROM https://get.google.com"},
{"key": "X-UA-Compatible", "value": "ie=edge"},
{"key": "X-XSS-Protection", "value": "1; mode=block"}
]
}]
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
来源:https://stackoverflow.com/questions/40465506/firebase-hosting-iframe-error-with-x-frame-options