我没有在 nginx 中将 x-frame-options 显式地设置为 sameorigin,但是 nginx 阻止了在 iframe 中呈现的 html 页面。我在 X-Frame-Options 中尝试指定域名,但没有成功。我把它们通读了一遍,尝试了一些修复方法,但都没有用。
https://preview.codecanyon.net/item/product-name/product-id
在 iframe 中预览我的 HTML 页面。
我没有在 nginx 中将 x-frame-options 显式地设置为 sameorigin,但是 nginx 阻止了在 iframe 中呈现的 html 页面。我在 X-Frame-Options 中尝试指定域名,但没有成功。我把它们通读了一遍,尝试了一些修复方法,但都没有用。
https://preview.codecanyon.net/item/product-name/product-id
在 iframe 中预览我的 HTML 页面。
The problem is not about X-Frame-Options but Content-Security-Policy also. Codecanyon set an CSP header that prevent the other sites can frame in their site. Even you allow all sites in your XFO header, they can block your site display in their website with CSP header.
But they are a market, they have to open a way for developer to include an iframe in their preview page. Seems they're not implemented a way for developer provide frame-src in preview page. So Codecanyon's CSP header is in Report only mode. All things is running fine although a lot of error you see from Chrome Developer Console.
By the way, you implemented an syntax error CSP header: unexpected punctuation at the start.