不能框架https://xxx-my.sharepoint.com,因为祖先违反了

问题描述 投票:0回答:1

当我尝试 (i)frame sharepoint.com 时出现此错误:

Refused to frame 'https://xxx-my.sharepoint.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com teams.microsoftonline.cn *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com *.microsoft.com onedrive.live.com *.onedrive.live.com securebroker.sharepointonline.com".

我尝试将所有这些 CSP 放入框架祖先中,但总是遇到相同的错误。 我在apache2中写了标题

Header always set Content-Security-Policy "default-src 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com teams.microsoftonline.cn *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com *.microsoft.com onedrive.live.com *.onedrive.live.com securebroker.sharepointonline.com;

frame-src 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com teams.microsoftonline.cn *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com *.microsoft.com onedrive.live.com *.onedrive.live.com securebroker.sharepointonline.com;

frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com teams.microsoftonline.cn *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com *.microsoft.com onedrive.live.com *.onedrive.live.com securebroker.sharepointonline.com;

script-src 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com teams.microsoftonline.cn *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com *.microsoft.com onedrive.live.com *.onedrive.live.com securebroker.sharepointonline.com"

(src之间没有空格,只是为了让事情更清楚) 我还尝试放置 X-Frames-Options、x-xss-protection、access-control-allow-origin、access-control-allow-headers。没有任何改变

我的 iframe 看起来像:

sandbox="allow-same-origin allow-scripts allow-popups allow-forms allow-modals" src="https://xxx.sharepoint.com/xxx/xxx/_layouts/15/Doc.aspx?sourcedoc={xxx}&action=edit&AllowTyping=True&wdDownloadButton=True&wdInConfigurator=True"
(我会在编辑模式下打开一个像excel或word这样的文件,使用action=embedview,它可以工作,但我想要action=edit) 我该如何解决这个问题?

iframe apache2 sharepoint-online excel-online csp
1个回答
0
投票

错误消息意味着您正在尝试构建一个页面,该页面已明确设置允许哪些其他网站构建它。如果您的主机名不在该列表中,则除了通过代理 ofc 服务修改标头之外,您无能为力。在某些情况下,限制框架的服务允许进行配置,因此您应该检查是否可以将您的网站列入白名单以对其进行框架。

© www.soinside.com 2019 - 2024. All rights reserved.