1. In 360 Browser Compatibility mode, this content cannot be displayed in a frame, as shown in Figure 1

This content cannot be displayed in a frame

To help protect the security of the information entered in this website, the publisher of this content is not allowed to display the information in the frame.

Figure 1

2. Check the source code of the web page, and it is determined that it is caused by the iframe and because of the inconsistency of the URL, as shown in Figure 2

Figure 2

3. Further analysis, the root is that the response header contains: X-frame-options: SameOrigin, as shown in Figure 3

https://developer.mozilla.org/zh-CN/docs/Web/HTTP/X-Frame-Options
Indicates that the page can be displayed in the frame of the same domain name page (that is, it can only be displayed under the TV domain name).

Figure 3

4. Create a new virtual host, TV.EastoBacco.dev, and create a new page header.html, as shown in Figure 4

Figure 4

5. Set the response header of TV.EastoBacco.Dev: x-frame-options: SameOrigin, as shown in Figure 5

Figure 5

6. Create a new virtual host, mytv.eastobacco.dev, and create a new page index.html, as shown in Figure 6

Figure 6

7. Local reproduction: this content cannot be displayed in a frame, as shown in Figure 7

Figure 7

8. TV.EastoBacco.dev, create a new page index.html, which contains the header.html of this domain name, as shown in Figure 8

8

9. The prompt that this content cannot be displayed in a framework no longer exists, as shown in Figure 9

Figure 9

10. Therefore, it can be determined that the response header: x-frame-options: Sameorigin, the main function is to make header.html only be displayed under the TV domain name, but the current requirement is that it needs to be displayed under all secondary domain names, set the response header: x-frame-options: frame-ancestorshttp://mytv.eastobacco.dev, as shown in Figure 10
# add_header x-frame-options Sameorigin;
add_header x-frame-options “allow-fromhttp://mytv.eastobacco.dev”;
add_header x-frame-options “allow-fromhttp://tv.eastobacco.dev”;

Figure 10

11. Repeat the 7th step and find that the header.html can be displayed under the mytv domain name, as shown in Figure 11

Figure 11

12. Repeat the 9th step and find that the header.html cannot be displayed under the TV domain name, which does not meet the expectations, as shown in Figure 12

Figure 12

13. Reset the response header: x-frame-options: frame-ancestorshttp://*.eastobacco.dev, as shown in Figure 13
add_header x-frame-options “allow-fromhttp://*.eastobacco.dev”;

Figure 13

14. Repeat step 7 and find that header.html cannot be displayed under the mytv domain name, as shown in Figure 14

Figure 14

15. Reset the response header: x-frame-options: frame-ancestorshttp://mytv.eastobacco.dev,http://tv.eastobacco.dev, as shown in Figure 15
add_header x-frame-options “allow-fromhttp://mytv.eastobacco.dev,http://tv.eastobacco.dev”;

Figure 15

16. Repeat step 7 and find that header.html cannot be displayed under the mytv domain name, as shown in Figure 16

Figure 16

17. Reset the response header: x-frame-options: frame-ancestorshttp://mytv.eastobacco.dev;http://tv.eastobacco.dev, as shown in Figure 17
add_header x-frame-options “allow-fromhttp://mytv.eastobacco.dev;http://tv.eastobacco.dev”;

Figure 17

18. Repeat step 7 and find that header.html cannot be displayed under the mytv domain name, as shown in Figure 18

18

19. Reference URL:https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/, allow-from does not support wildcards or lists of multiple sources, as shown in Figure 19

Figure 19

20. Reference URL:https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Content-Security-Policy__by_cnvoid, reset the response header: content-security-policy: frame-ancestorshttp://*.eastobacco.dev, as shown in Figure 20
add_header content-security-policy “frame-ancestorshttp://*.eastobacco.dev”;

Figure 20

21. Repeat the 7th step and find that the header.html can be displayed under the mytv domain name, which is in line with the expectations, as shown in Figure 21

Figure 21

22. Repeat the 9th step and find that the header.html can be displayed under the TV domain name, which is in line with expectations, as shown in Figure 22

Figure 22

23. The header.html under TV in another top-level domain name can still be successfully included, which is not in line with expectations, because the compatibility mode does not support content-security-policy , decided to give up the display limit in compatibility mode, allowing all domain names to contain header.html under TV, as shown in Figure 23

Figure 23

24. Turn on the speed mode, repeat the 7th step, and find that the header.html can be displayed under the mytv domain name, which is in line with the expectations, as shown in Figure 24

Figure 24

25. Turn on the speed mode, repeat the 9th step, and find that the header.html can be displayed under the TV domain name, which is in line with the expectations, as shown in Figure 25

Figure 25

26. The header.html under TV is included in another top-level domain name, and it is found that the header.html cannot be displayed, which is in line with expectations, as shown in Figure 26

Figure 26

27. Repeat the first step, normal display, in line with expectations, as shown in Figure 27

Figure 27

28. The compatibility mode is actually the IE browser, and the speed mode is actually the Chrome browser. The response head only sets the content-security-policy, then the security settings are abandoned under the IE browser to ensure that under all browsers,http://*.eastobacco.devAll can contain header.html under TV, and other top-level domain names cannot be included.

1. To realize WeChat login in the WeChat client, the QR code scanning layer will pop up, which should be canceled and directly jump to the authorization page, as shown in Figure 1:

Implement WeChat login in the WeChat client, and pop up the QR code scanning layer

2. In the mobile browser, the QR code scanning layer will pop up, and an error will be reported after scanning, as shown in Figure 2:

In the mobile browser, the QR code scanning layer pops up, and an error is reported after scanning

3. Background – Platform – Members – Account Synchronization – WeChat public platform, as shown in Figure 3:
Execute SQL:
Insert into `trade_setting`(`name`, `value`) values (mp_weixin_isuse,1)
Insert into `trade_setting`(`name`, `value`) values (mp_weixin_appid,WX5C318E640E87F7E8)
Insert into `trade_setting`(`name`, `value`) values (mp_weixin_secret,1F436A3A0DBFDAC1C8E1C8F72D2FBEC)

Background – Platform – Members – Account Synchronization – WeChat Public Platform

4. Use Detector to detect the browser, the URL:http://detector.dmolsen.com/, it can automatically adapt to the new browser, version and device to use unique user agent characters for each browser, based on Modernizr, as shown in Figure 4:

Use Detector to detect the browser, the URL:http://detector.dmolsen.com/

5. Copy the directory lib/detector to core/framework/detector, as shown in Figure 5:

And set the directory: user-agents/core/, user-agents/extended/, config is writable;

Copy directory lib/detector to core/framework/detector

6. The rules are formulated as follows, the code in the controller and template file is shown in Figure 6 and 7:

(1) PC, Tablet: pop up the QR code scanning layer (here WeChat open platform, website application);

(2) Mobile browser: hide;

(3) Mobile client: directly jump to the authorization page (here WeChat public platform, service number);

36kr.com: The mobile terminal does not currently support WeChat login, please use the bound mobile phone or mailbox to log in.
Dianping.com: Hide WeChat login button (use this scheme);

code in controller file

code in template file

7. Under the Mobile client, the code to directly jump to the authorization page is shown in Figure 8:

Under the Mobile client, jump directly to the code of the authorization page

8. Under the Mobile client, jump directly to the page of the authorization page, as shown in Figure 9:

Under the Mobile client, jump directly to the page of the authorization page

9. Error when submitting SVN, as shown in Figure 10:

The working copy at

is too old(format 10) to work with client version1.8.10(R1615264)(Expects format 31).You need upgrade the working copy first.

The working copy at is too old(format 10) to work with client version1.8.10(R1615264)(Expects Format 31)

10. Delete all .svn directories under core/framework/detector to prevent svn conflicts, and the submission is successful, as shown in Figure 11 and 12:

Delete all .svn directories under core/framework/detector to prevent svn conflicts

SVN submission was successful

11. Under the Edge browser, the error is reported, as shown in Figure 13:

script16389: Unspecified error.

Under the Edge browser, an error is reported: script16389: Unspecified error.

12. Open the URL:http://detector.dmolsen.com/, I found that I also have this error, as shown in Figure 14:

Open URL:http://detector.dmolsen.com/, found this error too

13. The solution is based on $_SERVER[‘HTTP_USER_AGENT’], if it is IE10, IE11, Edge, then detector is not used to detect the browser, as shown in Figure 15:

Based on $_SERVER[‘HTTP_USER_AGENT’], if it is IE10, IE11, Edge, then detector is not used to detect the browser