{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 趁早两清 的问题《How to set X-Frame-Options in express.js node.js》','https://www.manongdao.com/q-639658.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have some static assets that I want to serve inside iframes of several desktop / mobile web clients.
Now, how do I whitelist a specific set of origins to be allowed setting of X-Frame-Options headers so that the resource can be embedded as iframes inside different desktop / mobile web clients. and for all other origins denies the access to this resource.
With a little digging I started off with -
const app = express();
var allowCrossDomain = function (req, res, next) {
res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
res.header('Access-Control-Allow-Headers', 'Content-Type, X-Requested-With, Authorization');
if (req.method === "OPTIONS") res.send(200);
else next();
}
app.use(allowCrossDomain);
Now here how do I set the X-Frame-Options header with the whitelisted origin values here -
You should import helmet and use frameguard to get some origins whitelisted. More on this topic: MDN X-FRAME-OPTIONS Best Practice Security