Content-Security-Policy for webapp in iframe
Content-Security-Policy for webapp in iframe
我有一个webapp(myApp - 用Spring Boot和Vaadin开发)。Web 应用程序将部署到 Tomcat 服务器:http://tomcatserver:8080/myApp
现在我想在 iframe 中显示 Web 应用程序,如下所示:
<iframe src="//tomcatserver:8080/myApp"></iframe>
现在的一个要求是,iframe应该只适用于实现iframe的域的白名单。所以我有一个网络服务器 http://myWebserver:8081 它在<iframe>
内部有一个index.html
。
Web 应用程序在春季WebSecurityConfigureAdapter
生成以下内容:
http.csrf().disable(); // Requirement: DTEUTARIF-111
http.headers()
.frameOptions().disable()
.and()
.headers().contentTypeOptions()
.and()
.xssProtection()
.and()
.httpStrictTransportSecurity()
.and()
.addHeaderWriter(
new StaticHeadersWriter(
"Content-Security-Policy",
"default-src 'self';" +
"child-src 'self' http://myWebserver:8081;" +
"script-src 'self' http://myWebserver:8081;" +
"style-src 'self' http://myWebserver:8081;" +
"connect-src 'self' http://myWebserver:8081;" +
"font-src 'self' http://myWebserver:8081;" +
"object-src 'self' http://myWebserver:8081;"
)
);
但我总是得到这个:
angular.js:3543 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' http://myWebserver:8081". Either the 'unsafe-inline' keyword, a hash ('sha256-1PxuDsPyGK6n+LZsMv0gG4lMX3i3XigG6h0CzPIjwrE='), or a nonce ('nonce-...') is required to enable inline execution.
"脚本源"也是如此。
我不知道 100%,但是当我将'unsafe-inline'
添加到 script-src 和 style-src 时,iframe 对每个域都是开放的。
我做错了什么?可能吗?
为了获得成功的解决方案,我替换了:
new StaticHeadersWriter(
"Content-Security-Policy",
"default-src 'self';" +
"child-src 'self' http://myWebserver:8081;" +
"script-src 'self' http://myWebserver:8081;" +
"style-src 'self' http://myWebserver:8081;" +
"connect-src 'self' http://myWebserver:8081;" +
"font-src 'self' http://myWebserver:8081;" +
"object-src 'self' http://myWebserver:8081;"
)
跟
new StaticHeadersWriter("Content-Security-Policy",
"frame-ancestors 'self' http://myWebserver:8081")
相关文章:
- 防止Iframe窗体在新窗口中打开
- 将样式表插入iframe
- Node.js's Buffer.writeFloatBE in Javascript
- 在Twitter上用ie9中的空白src访问iframe的contentWindow
- Setting default onclick behavior for <img> tag in gene
- 使用jQuery从原始页面内容创建iframe
- Highslide(iframe的侦听器)
- iframe正在添加标签,需要删除它们
- 通过javascript/html访问twitter共享iframe
- 如何在Facebook上的iframe应用程序中使后退按钮返回到上一页
- 如何使用Angular动态添加iframe-src
- Content-Security-Policy for webapp in iframe
- IFrame for IOS in JS
- iframe Fade Out/In with jQuery
- AngularJs ng-src in Iframe
- windows .location.href in iframe在FireFox中不起作用
- Facebook iframe page_fan in javascript
- iframe to stackoverflow.com in jsbin
- cannot load file in iframe getting error: Can't interpol
- IE10 use BLOB url in iframe