为什么 iframe 对 yahoo.com 不起作用

2021-12-21 00:00:00 iframe frames php html x-frame-options

我发现这不起作用:

<iframe src="http://www.yahoo.com"> </iframe>

我已阅读此问题,但我没有了解添加的含义:

I have read this question, but I don't understand what they mean by add:

<?php
header('X-Frame-Options: GOFORIT'); 
?>

我尝试将其添加到我的 html 文件的顶部(当然是将其更改为 php 文件),我的 php 文件变成了:

I tried to add this to the top of my html file(change it to php file, of course), and my php file became:

<?php
header('X-Frame-Options: GOFORIT'); 
?>
<iframe src="http://www.yahoo.com"> </iframe>

我在我的 appserv(使用 php 5.2.6)中运行它,但它不起作用.有人能解释一下我应该怎么做才能克服这个问题吗?

I run it in my appserv(with php 5.2.6), and it doesn't work. Could anybody explain what should I do exactly to overcome this?

推荐答案

你运气不好:yahoo.com 不允许你在 iframe 中嵌入他们的网站.facebook 或其他热门网站也没有.

You're out of luck: yahoo.com doesn't allow you to embed their site in an iframe. Nor does facebook or other popular sites.

此限制的原因是点击劫持.

您可以通过检查其站点的响应标头来验证这一点;他们指定 X-Frame-Options:SAMEORIGIN 这意味着只有 yahoo.com 可以嵌入 yahoo.com 页面.

You can verify this by checking the response headers from their site; they specify X-Frame-Options:SAMEORIGIN which means only yahoo.com can embed yahoo.com pages.

一些较旧的浏览器不会强制执行标头,但所有新浏览器都会.Afaik,没有简单的方法可以解决.

Some older browsers won't enforce the header but all new ones will. Afaik, there's no simple way around it.

我能想到的唯一解决方案是实现代理脚本,即您嵌入一个脚本,该脚本位于您的服务器上,为您获取远程内容.

The only solution I can think of is implementing a proxy script, i.e. you embed a script that lives on your server that fetches the remote content for you.

例如.您的 iframe 调用/my-proxy.php?url=http://www.yahoo.com/",该脚本看起来喜欢:

Eg. your iframe calls "/my-proxy.php?url=http://www.yahoo.com/" and that script would look like:

<?php

header('X-Frame-Options: SAMEORIGIN'); // don't allow other sites to use my proxy
echo file_get_contents($_GET['url']);

您的里程可能会有所不同...

Your mileage may vary...

相关文章