Html 内容安全策略.htaccess框架祖先_Html_.htaccess_Iframe_Content Security Policy

Html 内容安全策略.htaccess框架祖先

html .htaccess iframe

Html 内容安全策略.htaccess框架祖先,html,.htaccess,iframe,content-security-policy,Html,.htaccess,Iframe,Content Security Policy,我的Facebook聊天插件有问题，它不能在Safari、Firefox和Edge中显示。我得到以下错误：拒绝加载。。。。。。。。。。因为它不会出现在内容安全策略的frame-forcens指令中我已经在.htaccess文件中为我的站点创建了一个内容安全策略，但它仍然不起作用。在safari、Edge或firefox中，但可在Chrome中使用： # always follow the symlinks Options +SymLinksIfOwnerMatch -MultiViews -

我的Facebook聊天插件有问题，它不能在Safari、Firefox和Edge中显示。我得到以下错误：

拒绝加载。。。。。。。。。。因为它不会出现在内容安全策略的frame-forcens指令中

我已经在.htaccess文件中为我的站点创建了一个内容安全策略，但它仍然不起作用。在safari、Edge或firefox中，但可在Chrome中使用：

# always follow the symlinks
Options +SymLinksIfOwnerMatch -MultiViews -Indexes 

# X-Frame-Options to prevent clickjacking
Header always append X-Frame-Options SAMEORIGIN

# if you want to use mod_rewrite, set this 'On'
RewriteEngine On

<IfModule mod_fcgid.c>
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
</IfModule>

# Added by me
# Apply a CSP to all HTML and PHP files
<FilesMatch "\.(html|php)$">
    Header set Content-Security-Policy "
        default-src 'self' *.googleapis.com *.facebook.com *.marchex.io;
        script-src 'self' *.cloudflare.com *.facebook.com *.marchex.io;
        font-src 'self' *.googleapis.com *.gstatic.com;
        img-src 'self' *.marchex.io ;
    object-src 'none';
    frame-ancestors 'self' *.facebook.com;
        child-src 'self' *.facebook.com;
</FilesMatch>

# Block pages from loading when they detect reflected XSS attacks
Header always append X-XSS-Protection: 1; mode=block

# Prevent browsers from incorrectly detecting non-scripts as scripts
Header always append X-Content-Type-Options: nosniff

# Only connect to this site via HTTPS for the two years (recommended)
Header always append Strict-Transport-Security: max-age=63072000

#End of added by me

来自xfbml.customerchat.js的响应头

Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-FB-Content-MD5
Alt-Svc: h3-24=":443"; ma=3600
Cache-Control: public,max-age=1200,stale-while-revalidate=3600
Content-Encoding: gzip
Content-Length: 73449
Content-MD5: 8glO44XsX1jOvEMLr37fng==
Content-Type: application/x-javascript; charset=utf-8
Date: Tue, 17 Dec 2019 16:51:17 GMT
ETag: "b96fb1ac645c4245492e2e35d1627232"
Expires: Tue, 17 Dec 2019 16:56:31 GMT
timing-allow-origin: *
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
x-fb-content-md5: e5d959939884b2030aba9a10101ef030
X-FB-Debug: X9f8fXUbI3MWGY8fKbKU98NkUhySqg+nshcn558TJFwxM2bgY4LaM8EjYRDH6Xh8IAqLfy9ogGBJxapQigrJMw==
X-Frame-Options: DENY

来自customoerchat.php的响应头

Alt-Svc: h3-24=":443"; ma=3600
Cache-Control: private, no-cache, no-store, must-revalidate
Connection: keep-alive
Content-Encoding: br
content-security-policy: default-src * data: blob: 'self';script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' *;connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self' chrome-extension://boadgeojelhgndaghljhdicfkmllpafd chrome-extension://dliochdbjfkdbacpmhlcpmleaejidimm;
content-security-policy: frame-ancestors https://mobilityservicesdirect.co.uk;
Content-Type: text/html; charset="utf-8"
Date: Tue, 17 Dec 2019 16:51:32 GMT
Expires: Sat, 01 Jan 2000 00:00:00 GMT
facebook-api-version: v5.0
Pragma: no-cache
Strict-Transport-Security: max-age=15552000; preload
timing-allow-origin: *
Transfer-Encoding: chunked
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-FB-Debug: P15E80pV8ZDmxEWhS4vE6VS4t9QYOE6dWQE9fZmdN24rvueuAYl4SvNeTO5+6iSJpLNoBOHPO/mZWV4riQuKoQ==
X-XSS-Protection: 0

如果有帮助的话，这个网站是免费的

非常感谢您的帮助

frame-prevenents指令是关于允许谁对某个页面进行框架设置的，在这种情况下，是聊天机器人的CSP禁止您的页面对其进行框架设置。在页面上应用CSP不会改变这一点

根据本页底部的故障排除提示，您必须：

检查正在呈现插件的页面的域是否已被列入白名单

确保未将“推荐人”策略标题设置为“无推荐人”

尝试将“referer Policy:origin”设置为响应标题。谢谢，但是我已经试过了，这是我在发布之前遇到的一个帖子。这并没有解决我的问题。我使用PHP设置标题，就像在文章中一样。我再试一次。或者是否有其他设置方法，如在我的.htaccess文件中？尝试了此方法。没有成功。我创建了一个虚拟facebook页面并设置了消息传递。将此添加到我的站点，它在Chrome和Safari中运行良好。因此，这是指向与业务相关的facebook页面！？！？！谢谢该域名在Chrome中运行时肯定会被列入白名单。我没有故意设置推荐人策略标题。如何检查？使用开发人员工具（F12），网络选项卡检查页面上的响应标题。它应该在CSP、X-XSS-Protection、X-Content-Type-Options和您定义的其他标题中。Facebook聊天插件响应中发送的标题是什么，该响应中的CSP可能会显示出来。我已经添加了标题。必须从Chrome上获取，因为safari没有显示任何内容。还添加了该网站。我感谢你的帮助。

Alt-Svc: h3-24=":443"; ma=3600
Cache-Control: private, no-cache, no-store, must-revalidate
Connection: keep-alive
Content-Encoding: br
content-security-policy: default-src * data: blob: 'self';script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' *;connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self' chrome-extension://boadgeojelhgndaghljhdicfkmllpafd chrome-extension://dliochdbjfkdbacpmhlcpmleaejidimm;
content-security-policy: frame-ancestors https://mobilityservicesdirect.co.uk;
Content-Type: text/html; charset="utf-8"
Date: Tue, 17 Dec 2019 16:51:32 GMT
Expires: Sat, 01 Jan 2000 00:00:00 GMT
facebook-api-version: v5.0
Pragma: no-cache
Strict-Transport-Security: max-age=15552000; preload
timing-allow-origin: *
Transfer-Encoding: chunked
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-FB-Debug: P15E80pV8ZDmxEWhS4vE6VS4t9QYOE6dWQE9fZmdN24rvueuAYl4SvNeTO5+6iSJpLNoBOHPO/mZWV4riQuKoQ==
X-XSS-Protection: 0