问题描述
是否存在iframe的属性,该属性会使它阻止对某些域的请求?类似于以下内容:
void showNavigationToolbar() {
final Container layer = getlayeredPane(MapForm.class,true);
final Container pinLayer = createPinLayer(layer);
Button back = new Button("","TitleCommand");
Fontimage.setMaterialIcon(back,Fontimage.MATERIAL_ARROW_BACK);
CompletionContainer cc = new CompletionContainer();
AutoCompleteAddressInput from = new AutoCompleteAddressInput("Current Location","From",layer,cc);
AutoCompleteAddressInput to = new AutoCompleteAddressInput("","Where To?",cc);
from.setCurrentLocation(LocationService.getCurrentLocation());
Image circle = createCircle();
Label fromSelected = new Label(circle);
Label toSelected = new Label(square);
SearchService.nameMyCurrentLocation(LocationService.getCurrentLocation(),name -> from.setTextNoEvent(name));
to.requestFocus();
lastFocused = to;
from.addFocusListener(createFromFocusListener(fromSelected,from,circle));
to.addFocusListener(createtoFocusListener(fromSelected,circle,toSelected,to));
addMapListener((source,zoom,center) -> onMapChangeEvent(center));
Container navigationToolbar = BoxLayout.encloseY(back,BorderLayout.centerCenterEastWest(from,null,fromSelected),BorderLayout.centerCenterEastWest(to,toSelected)
);
navigationToolbar.setUIID("WheretoToolbar");
navigationToolbar.getUnselectedStyle().setBgPainter((g1,rect) ->
paintWheretoToolbarBackground(g1,rect,fromSelected,toSelected)
);
cc.addCompletionListener(e ->
onCompletionEvent(to,pinLayer,navigationToolbar,layer));
back.addActionListener(e ->
onBackFromNavigation(pinLayer,layer));
layer.add(norTH,navigationToolbar);
navigationToolbar.setWidth(getdisplayWidth());
navigationToolbar.setHeight(getPreferredH());
navigationToolbar.setY(-navigationToolbar.getHeight());
getAnimationManager().addAnimation(layer.createAnimateLayout(200),() -> cc.showCompletionBar(layer));
}
private FocusListener createtoFocusListener(final Label fromSelected,Image circle,final Label toSelected,AutoCompleteAddressInput to) {
return new FocusListener() {
@Override
public void focusGained(Component cmp) {
fromSelected.setIcon(circle);
toSelected.setIcon(square);
lastFocused = to;
}
@Override
public void focusLost(Component cmp) {
toSelected.setIcon(circle);
}
};
}
private FocusListener createFromFocusListener(final Label fromSelected,AutoCompleteAddressInput from,Image circle) {
return new FocusListener() {
@Override
public void focusGained(Component cmp) {
fromSelected.setIcon(square);
lastFocused = from;
}
@Override
public void focusLost(Component cmp) {
fromSelected.setIcon(circle);
}
};
}
因此,如果<iframe src="www.example.com" block-domains="google.com"></iframe>
是我要寻找的神奇属性,那就是告诉iframe阻止对block-domains的所有请求。
解决方法
我认为,最接近此设置的方法是在HEADER声明中设置X-Frame-options。文档here指出您可以提供以下2个选项中的任何一个(第3个已过时):
- DENY:不管试图嵌入的页面是什么,iframe都不会显示
- SAMEORIGIN:仅当由与页面本身具有相同起源的站点调用iframe时,才会显示iframe(通过检查框架祖先)
另一种解决方法是将frame-ancestors用作内容安全策略标头的一部分,这将使您可以指定可嵌入iframe的网站。
,据我所知,除非您有权设置要加载的域的响应头,否则这是不可能的。
如果您具有访问权限,则可以将Content-Security-Policy响应标头设置为frame-src。它限制了页面可以在iframe中加载的域。
例如:如果https://example.com上的网站的响应标头为
Content-Security-Policy: frame-src 'self' *.trusted.com。那么就只能向iframe中的example.com和*.trusted.com域发出请求。