我正在使用静默刷新来更新应用程序中的令牌,这涉及加载指向 Identity Server 端点的 iframe。但是,当 iframe 尝试加载 URL https://localhost:9443/ 时,我在浏览器控制台中收到以下错误:
Refused to display 'https://localhost:9443/' in a frame because it set 'X-Frame-Options' to 'deny'.
这是我正在使用的设置:
**Identity Server 7.0.0:** WSO2 IS running on https://localhost:9443/
**Frontend Framework:** Angular 18 with angular-oauth2-oidc for authentication
**Silent Refresh:** Using the library's built-in silentRefresh() method
这是配置:
export const authConfig: AuthConfig = {
issuer: 'https://localhost:9443/oauth2/token',
redirectUri: window.location.origin,
clientId: '6wgRGIKSFcB61WSDSsf0n1fysGIa',
dummyClientSecret : "fNksWZHkxXQMv14GZ9oVYJaYyOrEJchcFuPsurYxGloa",
strictDiscoveryDocumentValidation: false,
responseType: 'code',
scope: 'openid profile roles',
showDebugInformation: true,
silentRefreshRedirectUri: window.location.origin + '/silent-refresh.html',
useSilentRefresh: true,
sessionChecksEnabled: true,
timeoutFactor: 0.75,
clearHashAfterLogin: true,
logoutUrl: 'https://localhost:9443/oidc/logout',
skipIssuerCheck: true,
};
silent-refresh.html
<html>
<body>
<script>
parent.postMessage(location.hash, location.origin);
</script>
</body>
</html>
服务
this
.oauthService
.silentRefresh()
.then(info => console.debug('refresh ok', info))
.catch(err => console.error('refresh error', err));
HTTP X-Frame-Options 响应标头可用于指示是否应允许浏览器在框架、iframe、嵌入或对象中呈现页面。网站可以使用它来避免点击劫持攻击,确保其内容不嵌入到其他网站中。
在 WSO2 IS 中,根据安全最佳实践,X-Frame-Options 标头默认设置为
DENY/repository/deployment/server/webapps/oauth2/WEB-INF/web.xml 中的
SAMEORIGIN参数,将 oauth2 web 应用程序的 X-Frame-Options 标头值更改为
ALLOW-FROM或
antiClickJackingOption<filter>
<filter-name>HttpHeaderSecurityFilter</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>