background
When accessing the content platform, the content platform uses iframe to embed ugc's post details page, so that users can preview the post details. But the post details page does not support iframe embedding, resulting in the following error: "star.aliexpress.com rejected our connection request.". "As follows:
Reason
This is because the post detail page does not support iframe embedding. This is mainly because spring boot is for security by default, and does not allow the page to support embedding by default, helping users against click hijacking.
Solution
X-Frame-Options has three values:
DENY
Indicates that the page is not allowed to be displayed in frame, even if it is nested in pages with the same domain name.
SAMEORIGIN
Indicates that the page can be displayed in the frame of the same domain name page.
ALLOW-FROM uri
Indicates that the page can be displayed in the frame of the specified source.
spring boot supports the anonation of enable Web security to set incomplete security policies. The details are as follows:
import com.alibaba.spring.websecurity.DefaultWebSecurityConfigurer; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.web.header.writers.frameoptions.WhiteListedAllowFromStrategy; import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter; import java.util.Arrays; @EnableWebSecurity @Configuration public class WebSecurityConfig extends DefaultWebSecurityConfigurer { @Override protected void configure(HttpSecurity http) throws Exception { super.configure(http); //disable default policy. This sentence cannot be omitted. http.headers().frameOptions().disable(); //Add a new strategy. http.headers().addHeaderWriter(new XFrameOptionsHeaderWriter( new WhiteListedAllowFromStrategy( Arrays.asList("http://itaobops.aliexpress.com", "https://cpp.alibaba-inc.com", "https://pre-cpp.alibaba-inc.com")))); } }
Above is the setting method that supports ALLOW-FROM uri.
Other settings are relatively simple. The following is the setting method that supports SAMEORIGIN:
@EnableWebSecurity @Configuration public class WebSecurityConfig extends DefaultWebSecurityConfigurer { @Override protected void configure(HttpSecurity http) throws Exception { super.configure(http); http.headers().frameOptions().sameOrigin(); } }
The following is the way to support full liberalization:
@EnableWebSecurity @Configuration public class WebSecurityConfig extends DefaultWebSecurityConfigurer { @Override protected void configure(HttpSecurity http) throws Exception { super.configure(http); http.headers().frameOptions().disable(); } }
1 people praise
By yddmax? Y
Link: https://www.jianshu.com/p/9ec724f4e3ae
Source: Jianshu
The copyright belongs to the author. For commercial reprint, please contact the author for authorization. For non-commercial reprint, please indicate the source.
Programmers end up with takeaways 114 original articles published, praised 3, visited 80000+ Private letter follow