Rejected our connection request

background

When accessing the content platform, the content platform uses iframe to embed ugc's post details page, so that users can preview the post details. But the post details page does not support iframe embedding, resulting in the following error: "star.aliexpress.com rejected our connection request.". "As follows:

image.png

 

Reason

This is because the post detail page does not support iframe embedding. This is mainly because spring boot is for security by default, and does not allow the page to support embedding by default, helping users against click hijacking.

image.png

 

Solution

X-Frame-Options has three values:
DENY
Indicates that the page is not allowed to be displayed in frame, even if it is nested in pages with the same domain name.
SAMEORIGIN
Indicates that the page can be displayed in the frame of the same domain name page.
ALLOW-FROM uri
Indicates that the page can be displayed in the frame of the specified source.

spring boot supports the anonation of enable Web security to set incomplete security policies. The details are as follows:

import com.alibaba.spring.websecurity.DefaultWebSecurityConfigurer;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.header.writers.frameoptions.WhiteListedAllowFromStrategy;
import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter;

import java.util.Arrays;

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends DefaultWebSecurityConfigurer {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
       //disable default policy. This sentence cannot be omitted. 
        http.headers().frameOptions().disable();
       //Add a new strategy. 
        http.headers().addHeaderWriter(new XFrameOptionsHeaderWriter(
                new WhiteListedAllowFromStrategy(
                        Arrays.asList("http://itaobops.aliexpress.com", "https://cpp.alibaba-inc.com",
                                "https://pre-cpp.alibaba-inc.com"))));
    }
}

Above is the setting method that supports ALLOW-FROM uri.

Other settings are relatively simple. The following is the setting method that supports SAMEORIGIN:

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends DefaultWebSecurityConfigurer {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        http.headers().frameOptions().sameOrigin();

    }
}

The following is the way to support full liberalization:

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends DefaultWebSecurityConfigurer {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        http.headers().frameOptions().disable();
    }
}

 

1 people praise

 

Other

 



By yddmax? Y
Link: https://www.jianshu.com/p/9ec724f4e3ae
Source: Jianshu
The copyright belongs to the author. For commercial reprint, please contact the author for authorization. For non-commercial reprint, please indicate the source.

114 original articles published, praised 3, visited 80000+
Private letter follow

Tags: Spring Java

Posted on Sun, 19 Jan 2020 06:08:30 -0500 by matthewlesh