Refused to display in a frame because it set 'X-Frame-Options' to 'DENY'的解決辦法
阿新 • • 發佈:2018-12-26
今天遇到了iframe模式上傳圖片或者iframe巢狀頁面時,會報如下異常資訊:“Refused to display in a frame because it set 'X-Frame-Options' to 'DENY' 這個問題找了好久資料,好多種解決方法:
一、
response.setHeader("X-Frame-Options", "SAMEORIGIN");// 解決IFrame拒絕的問題
二、tomcat的配置檔案web.xml下新增filter
<filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <init-param> <param-name>antiClickJackingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>SAMEORIGIN</param-value> </init-param> <async-supported>true</async-supported> </filter> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
上面這兩種方法好像都不管用!
三、
<security:http auto-config="true" use-expressions="true">
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
四、寫一個類繼承WebSecurityConfigurerAdapter,設定引數
package cn.wzz.web; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) //開啟security註解 public class WebSecurityConfig extends WebSecurityConfigurerAdapter{ @Bean @Override protected AuthenticationManager authenticationManager() throws Exception { return super.authenticationManager(); } @Override protected void configure(HttpSecurity http) throws Exception { // 關掉csrf的功能 http.csrf().disable(); // 跨域的問題 http.headers().frameOptions().disable(); // http.authorizeRequests() //允許所有使用者訪問"/"和"/uploadFile" // .antMatchers("/uploadFile").permitAll() //其他地址的訪問均需驗證許可權 // .anyRequest().authenticated() // .and() // .formLogin() // .loginPage("/login") //指定登入頁是"/login" // .defaultSuccessUrl("/list") //登入成功後預設跳轉到"list" // .permitAll() // .and() // .logout() // .logoutSuccessUrl("/home") //退出登入後的預設url是"/home" // .permitAll(); } @Override public void configure(WebSecurity web) throws Exception { //解決靜態資源被攔截的問題 web.ignoring().antMatchers("/static/**"); } }
這其實也是跨域問題的一種,介紹跨域問題的文章有兩篇不錯的 ==》
一個是思否上的:《不要再問我跨域的問題了》
一個是:《跨域問題出現原因和解決方案》