firebase托管iframe错误与X-Frame-Options

Question

我需要为一个与firebase托管的页面使用几个iframe，但它给我X-Frame-Options错误，其中一个iframe用于picasa上托管的图库，另一个ifrmae用于联系表单(因为我无法通过firebase发送电子邮件:()

下面是错误

Refused to display 'https://get.google.com/albumarchive/pwa/11111/album/1111?source=pwa#slideshow/1111' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
jquery.min.js:2 Uncaught DOMException: Failed to read the 'contentDocument' property from 'HTMLIFrameElement': Blocked a frame with origin "https://demodomain.com" from accessing a cross-origin frame. 

我用firebase.json这样做了，但没有起作用

 "headers": [
     {
       "source": "**/*",
       "headers": [
         {"key": "X-Content-Type-Options", "value": "nosniff"},
         {"key": "X-Frame-Options", "value": "ALLOW"},
         {"key": "X-UA-Compatible", "value": "ie=edge"},
         {"key": "X-XSS-Protection", "value": "1; mode=block"}
       ]
     }
]

Answer 1

您的想法是正确的，只是设置了错误的值。对于X-Frame-Options标头，ALLOW不是可接受的值。可以设置ALLOW-FROM值，然后指定允许嵌入的uri。请查看下面的更多文档。

修复：

 "headers": [{
   "source": "**/*",
   "headers": [
     {"key": "X-Content-Type-Options", "value": "nosniff"},
     {"key": "X-Frame-Options", "value": "ALLOW-FROM https://get.google.com"},
     {"key": "X-UA-Compatible", "value": "ie=edge"},
     {"key": "X-XSS-Protection", "value": "1; mode=block"}
   ]
 }]

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options