防範網頁被內嵌成 iframe

由於資安越來越嚴謹,現在很多網站都會阻擋被其他網頁用 iframe 內嵌。

常見的作法是在回應標頭加上 X-Frame-Options,這時開啟「開發人員工具」會看到↓
還有另外一個作法是設定 Content-Security-Policy,「開發人員工具」看到的訊息是↓

Laravel8.x 統一在每個 request 加上 X-Frame-Options: SAMEORIGIN。但有些時候我們是希望網頁可以被內嵌的,例如讓 APP 透過 WebView 看網頁,這時就必須關閉這項設定。

1. 建立新的 FrameGuard Middleware,複製 \Illuminate\Http\Middleware\FrameGuard,並加上需要的判斷
  1. <?php
  2.  
  3. namespace App\Http\Middleware;
  4.  
  5. use Closure;
  6. use Route;
  7.  
  8. class FrameGuard
  9. {
  10. /**
  11. * Handle the given request and get the response.
  12. *
  13. * @param \Illuminate\Http\Request $request
  14. * @param \Closure $next
  15. * @return \Symfony\Component\HttpFoundation\Response
  16. */
  17. public function handle($request, Closure $next)
  18. {
  19. $response = $next($request);
  20.  
  21. if (Route::currentRouteName() != '{your.route.name}') {
  22. $response->headers->set('X-Frame-Options', 'SAMEORIGIN', false);
  23. }
  24.  
  25. return $response;
  26. }
  27. }
2. 開啟 app\Http\Kernel.php,替換 FrameGuard
  1. class Kernel extends HttpKernel
  2. {
  3. /**
  4. * The application's global HTTP middleware stack.
  5. *
  6. * These middleware are run during every request to your application.
  7. *
  8. * @var array
  9. */
  10. protected $middleware = [
  11. ...
  12. // \Illuminate\Http\Middleware\FrameGuard::class,
  13. \App\Http\Middleware\FrameGuard::class,
  14. ];
  15. ...

留言