OMV里iframe页面无法打开的解决办法2018-10-19

OMV里,像shellinabox这种界面里加了iframe的,在omv的设置里默认是打不开的,security禁止了。下面说一下怎么打开。

原因:

主要是OMV在nginx里加了Content Security Policy的设置,限制在iframe窗口中打开

解决:

vi /etc/nginx/openmediavault-webgui.d/security.conf
  1 # Content Security Policy (CSP)
  2 # https://www.owasp.org/index.php/Content_Security_Policy
  3 add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:;";
  4                                                                                                                                                                                                         
  5 # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
  6 #add_header X-Frame-Options "SAMEORIGIN";
  7 add_header X-Frame-Options "ALLOW-FROM http://$host";
  8 
  9 # http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
 10 add_header X-Content-Type-Options "nosniff";
 11 
 12 # https://wiki.mozilla.org/Security/Features/XSS_Filter
 13 # http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx
 14 add_header X-XSS-Protection "1; mode=block";

把第三行:
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:;";
前面加#号注释。
改完后:

  1 # Content Security Policy (CSP)
  2 # https://www.owasp.org/index.php/Content_Security_Policy
  3 add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:;";
  4                                                                                                                                                                                                         
  5 # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
  6 #add_header X-Frame-Options "SAMEORIGIN";
  7 add_header X-Frame-Options "ALLOW-FROM http://$host";
  8 
  9 # http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
 10 add_header X-Content-Type-Options "nosniff";
 11 
 12 # https://wiki.mozilla.org/Security/Features/XSS_Filter
 13 # http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx
 14 add_header X-XSS-Protection "1; mode=block";

但是,由于shellinabox的web client是https界面,第一次打开,还是需要先点设置下的『web client』图标,先确认https界面提示,然后才能在iframe中打开。
如果https加了证书的应该就不需要。

你可能感兴趣的:(OMV里iframe页面无法打开的解决办法2018-10-19)