<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Clickjacking</title>
<style>
iframe {
width: 100%;
height: 100%;
display: block;
position: absolute; /*指定iframe和button为绝对定位*/
z-index: 20; /*指定在垂直方向上的高低*/
opacity: 0.01;
/*指定透明度*/
<!--注意,iframe的透明度不能设置为0,如果设置为0的话,就不能接受任何的点击事件了-->
}
button {
position: absolute;
left: 40px;
top: 65px;
z-index: 10;
}
</style>
</head>
<body>
<h2>哇塞,这张照片里怎么会有我!快来看看有没有你吧!</h2>
<button>查看照片</button>
<iframe src="https://blog.csdn.net/zjy123078_zjy/" frameborder="0"></iframe>
</body>
</html>
我们可以查看一下网页源代码,如下:
class XFrameOptionsMiddleware(MiddlewareMixin):
"""
Set the X-Frame-Options HTTP header in HTTP responses.
Do not set the header if it's already set or if the response contains
a xframe_options_exempt value set to True.
By default, set the X-Frame-Options header to 'SAMEORIGIN', meaning the
response can only be loaded on a frame within the same site. To prevent the
response from being loaded in a frame in any site, set X_FRAME_OPTIONS in
your project's Django settings to 'DENY'.
"""
def process_response(self, request, response):
# Don't set it if it's already in the response
if response.get('X-Frame-Options') is not None:
return response
# Don't set it if they used @xframe_options_exempt
if getattr(response, 'xframe_options_exempt', False):
return response
response['X-Frame-Options'] = self.get_xframe_options_value(request,
response)
return response
def get_xframe_options_value(self, request, response):
"""
Get the value to set for the X_FRAME_OPTIONS header. Use the value from
the X_FRAME_OPTIONS setting, or 'DENY' if not set.
This method can be overridden if needed, allowing it to vary based on
the request or response.
"""
return getattr(settings, 'X_FRAME_OPTIONS', 'DENY').upper()
原文:https://www.cnblogs.com/guyan-2020/p/12348070.html