vul*_*ulp 7 javascript iframe nginx
我想绕过通过反向代理的同源策略,iframe以便对iframe.
srciframe 的设置为https://example1.com/iframe-app. 但这仍然会在浏览器中引发同源策略违规。所以浏览器仍然会看到 iframe 中的页面,因为它不是源自https://example1.com/,这似乎没问题,因为如果底层页面具有相同的来源,那么它的 ajax 请求将不起作用。
所以我尝试使用 nginxsub_filter指令将我的 javascript 注入响应 html。但是,没有在响应中添加任何内容。也许这是因为响应是由于 https 协议而加密的?
为什么sub_filter不起作用以及如何使其工作?
server {
root /var/www/example1.com/html;
index index.html index.htm index.nginx-debian.html;
server_name example1.com www.example1.com;
location / {
proxy_pass http://localhost:4000;
}
location /iframe-app {
rewrite ^/iframe-app(.*) /$1 break;
proxy_pass http://example2.com;
proxy_set_header Accept-Encoding "";
proxy_redirect off;
sub_filter '</head>' '<script>...code</script></head>';
sub_filter_once on;
sub_filter_types text/html;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example1.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example1.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
server {
if ($host = www.example1.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = example1.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name example1.com www.example1.com;
return 404; # managed by Certbot
}
| 归档时间: |
|
| 查看次数: |
1068 次 |
| 最近记录: |