The HTML iframe tag supports all pan-domains under a certain top-level domain name, and restricts the display implementation of other top-level domain names
1. In 360 Browser Compatibility mode, this content cannot be displayed in a frame, as shown in Figure 1
This content cannot be displayed in a frame
To help protect the security of the information entered in this website, the publisher of this content is not allowed to display the information in the frame.
Figure 1
2. Check the source code of the web page, and it is determined that it is caused by the iframe and because of the inconsistency of the URL, as shown in Figure 2
Figure 2
3. Further analysis, the root is that the response header contains: X-frame-options: SameOrigin, as shown in Figure 3
https://developer.mozilla.org/zh-CN/docs/Web/HTTP/X-Frame-Options
Indicates that the page can be displayed in the frame of the same domain name page (that is, it can only be displayed under the TV domain name).
Figure 3
4. Create a new virtual host, TV.EastoBacco.dev, and create a new page header.html, as shown in Figure 4
Figure 4
5. Set the response header of TV.EastoBacco.Dev: x-frame-options: SameOrigin, as shown in Figure 5
Figure 5
6. Create a new virtual host, mytv.eastobacco.dev, and create a new page index.html, as shown in Figure 6
Figure 6
7. Local reproduction: this content cannot be displayed in a frame, as shown in Figure 7
Figure 7
8. TV.EastoBacco.dev, create a new page index.html, which contains the header.html of this domain name, as shown in Figure 8
8
9. The prompt that this content cannot be displayed in a framework no longer exists, as shown in Figure 9
Figure 9
10. Therefore, it can be determined that the response header: x-frame-options: Sameorigin, the main function is to make header.html only be displayed under the TV domain name, but the current requirement is that it needs to be displayed under all secondary domain names, set the response header: x-frame-options: frame-ancestorshttp://mytv.eastobacco.dev, as shown in Figure 10
# add_header x-frame-options Sameorigin;
add_header x-frame-options “allow-fromhttp://mytv.eastobacco.dev”;
add_header x-frame-options “allow-fromhttp://tv.eastobacco.dev”;
Figure 10
11. Repeat the 7th step and find that the header.html can be displayed under the mytv domain name, as shown in Figure 11
Figure 11
12. Repeat the 9th step and find that the header.html cannot be displayed under the TV domain name, which does not meet the expectations, as shown in Figure 12
Figure 12
13. Reset the response header: x-frame-options: frame-ancestorshttp://*.eastobacco.dev, as shown in Figure 13
add_header x-frame-options “allow-fromhttp://*.eastobacco.dev”;
Figure 13
14. Repeat step 7 and find that header.html cannot be displayed under the mytv domain name, as shown in Figure 14
Figure 14
15. Reset the response header: x-frame-options: frame-ancestorshttp://mytv.eastobacco.dev,http://tv.eastobacco.dev, as shown in Figure 15
add_header x-frame-options “allow-fromhttp://mytv.eastobacco.dev,http://tv.eastobacco.dev”;
Figure 15
16. Repeat step 7 and find that header.html cannot be displayed under the mytv domain name, as shown in Figure 16
Figure 16
17. Reset the response header: x-frame-options: frame-ancestorshttp://mytv.eastobacco.dev;http://tv.eastobacco.dev, as shown in Figure 17
add_header x-frame-options “allow-fromhttp://mytv.eastobacco.dev;http://tv.eastobacco.dev”;
Figure 17
18. Repeat step 7 and find that header.html cannot be displayed under the mytv domain name, as shown in Figure 18
18
19. Reference URL:https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/, allow-from does not support wildcards or lists of multiple sources, as shown in Figure 19
Figure 19
20. Reference URL:https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Content-Security-Policy__by_cnvoid, reset the response header: content-security-policy: frame-ancestorshttp://*.eastobacco.dev, as shown in Figure 20
add_header content-security-policy “frame-ancestorshttp://*.eastobacco.dev”;
Figure 20
21. Repeat the 7th step and find that the header.html can be displayed under the mytv domain name, which is in line with the expectations, as shown in Figure 21
Figure 21
22. Repeat the 9th step and find that the header.html can be displayed under the TV domain name, which is in line with expectations, as shown in Figure 22
Figure 22
23. The header.html under TV in another top-level domain name can still be successfully included, which is not in line with expectations, because the compatibility mode does not support content-security-policy , decided to give up the display limit in compatibility mode, allowing all domain names to contain header.html under TV, as shown in Figure 23
Figure 23
24. Turn on the speed mode, repeat the 7th step, and find that the header.html can be displayed under the mytv domain name, which is in line with the expectations, as shown in Figure 24
Figure 24
25. Turn on the speed mode, repeat the 9th step, and find that the header.html can be displayed under the TV domain name, which is in line with the expectations, as shown in Figure 25
Figure 25
26. The header.html under TV is included in another top-level domain name, and it is found that the header.html cannot be displayed, which is in line with expectations, as shown in Figure 26
Figure 26
27. Repeat the first step, normal display, in line with expectations, as shown in Figure 27
Figure 27
28. The compatibility mode is actually the IE browser, and the speed mode is actually the Chrome browser. The response head only sets the content-security-policy, then the security settings are abandoned under the IE browser to ensure that under all browsers,http://*.eastobacco.devAll can contain header.html under TV, and other top-level domain names cannot be included.
