wordpress - 在 Wordpress 中使用 iframe 绕过 CSP 规则
问题描述
我想包含其他网站的 iframe。
我只是在 wordpress 页面中添加了一些 HTML:
<iframe src="https://www.website.com/page.htm" height="2000"></iframe>
当我在 wordpress 中以管理员身份登录时,它工作得很好。
但是当我像普通访客一样尝试隐身模式时,由于 CSP 保护,我看不到 iframe。我有这个错误:
Refused to display 'https://www.website.com/page.htm' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors *.website.com".
about:blank:1 [Report Only] Refused to display 'https://www.website.com/page.htm' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors *.website.com".
所以我的问题是,为什么它作为管理员而不是普通访问者工作?我怎样才能让它在这两种情况下都有效?
谢谢
使用两个版本的标题进行编辑
我以管理员身份登录时的标题
* 一般的 *
Request URL: https://www.website.com/shop.htm/
Request Method: GET
Status Code: 200 OK (from disk cache)
Remote Address: 193.164.196.82:443
Referrer Policy: no-referrer-when-downgrade
* 响应标头 *
Cache-Control: public
Content-Encoding: gzip
Content-Security-Policy: frame-ancestors *.website.com; report-uri https://api.website.com/api/csp-report/v1/report/;
Content-Security-Policy-Report-Only: object-src *.website.com; frame-ancestors *.website.com; report-uri https://api.website.com/api/csp-report/v1/report/;
Content-Type: text/html; charset=utf-8
Date: Thu, 05 Mar 2020 11:33:36 GMT
ETag: W/"1eea0-VxHcir7eEw4/DKj9v65JMo5WtVk"
Expires: Thu, 05 Mar 2020 11:43:36 GMT
Vary: Accept-Encoding
X-DataDome: protected
X-Protected-By: Sqreen
* 请求标头 *
GET /shop.htm/ HTTP/1.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36
Sec-Fetch-Dest: iframe
Referer: https://mainwebsite.com/
我没有登录时的标题
* 一般的 *
Request URL: https://www.website.com/shop.htm/
Request Method: GET
Status Code: 200 OK
Remote Address: 193.164.197.82:443
Referrer Policy: no-referrer-when-downgrade
* 响应标头 *
Cache-Control: public
Content-Encoding: gzip
Content-Security-Policy: frame-ancestors *.website.com; report-uri https://api.website.com/api/csp-report/v1/report/;
Content-Security-Policy-Report-Only: object-src *.website.com; frame-ancestors *.website.com; report-uri https://api.website.com/api/csp-report/v1/report/;
Content-Type: text/html; charset=utf-8
Date: Thu, 05 Mar 2020 11:13:20 GMT
ETag: W/"1eea0-v04Wc+e633BYpAYDMk+pKbQ2M98"
Expires: Thu, 05 Mar 2020 11:23:19 GMT
Set-Cookie: datadome=OkladZXCp6qUlASDoPL-ilsKk1AqD_IWp4LCaQQvFHI3g4Hg~cA1OMfcUALlb-_mpwd844GnUmTU6QUXMStSPePr5U~3mMOlX8hY_gstZA; Max-Age=31536000; Domain=.website.com; Path=/; SameSite=Lax
Strict-Transport-Security: max-age=15768000
Transfer-Encoding: chunked
Vary: Accept-Encoding
X-DataDome: protected
X-Protected-By: Sqreen
* 请求标头 *
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8,fr;q=0.7
Connection: keep-alive
Host: www.leboncoin.fr
Referer: https://mainwebsite.com
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36
最大的区别似乎是当我没有以管理员身份登录时它会生成一个 cookie。
Set-Cookie: datadome=OkladZXCp6qUlASDoPL-ilsKk1AqD_IWp4LCaQQvFHI3g4Hg~cA1OMfcUALlb-_mpwd844GnUmTU6QUXMStSPePr5U~3mMOlX8hY_gstZA; Max-Age=31536000; Domain=.website.com; Path=/; SameSite=Lax
Strict-Transport-Security: max-age=15768000
解决方案
推荐阅读
- java - TripleDES 加密在 java 中工作正常,但在 c# 中却不行
- kerberos - NIFI - 如何连接到启用 Kerberos 的 KUDU
- javascript - 如何在占位符文本上添加 javascript 类或选择器?
- python - 如何纠正:TypeError: '_FlagValues' object is not subscriptable while retraining mobilenet model
- https - 如何在没有 HSTS 预加载的情况下让客户端通过 HTTPS 请求?
- python - 拆分python布尔值列表
- r - 提取函数的结果
- api - 如何使用 Xamarin 在单元格视图中显示数据
- r - 从网络抓取工作中将数据框转换为正确的格式
- apache-flink - 如何在 Zeppelin 中运行 Flink 字数统计 java 版本示例?