参考:黑夜的风
package com.xx.xx.service; import javax.servlet.*; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; public class XFrameOptionsHeaderFilter implements Filter { public XFrameOptionsHeaderFilter() { } public void init(FilterConfig config) throws ServletException { } public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException { //必须 HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) resp; //实际设置 response.setHeader("x-frame-options", "SAMEORIGIN"); chain.doFilter(req, resp); } public void destroy() { } }
在xml中加入
<!-- 配置Filter -->
<filter>
<filter-name>XFrameOptionsHeaderFilter</filter-name>
<filter-class>com.xx.xx.service.XFrameOptionsHeaderFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XFrameOptionsHeaderFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
效果如下
内嵌页面也打不开了
如果配置 allow-from
参考:https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives
chrome和Safari 是不支持的。
需要加入
response.setHeader("Content-Security-Policy", "frame-ancestors "+address); //针对safi和chrome
如下图(第三行是设置httponly属性,参考:https://blog.csdn.net/zhaifengmin/article/details/54232630 )
至此问题解决!