OMV里,像shellinabox这种界面里加了iframe的,在omv的设置里默认是打不开的,security禁止了。下面说一下怎么打开。
原因:
主要是OMV在nginx里加了Content Security Policy的设置,限制在iframe窗口中打开
解决:
vi /etc/nginx/openmediavault-webgui.d/security.conf
1 # Content Security Policy (CSP)
2 # https://www.owasp.org/index.php/Content_Security_Policy
3 add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:;";
4
5 # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
6 #add_header X-Frame-Options "SAMEORIGIN";
7 add_header X-Frame-Options "ALLOW-FROM http://$host";
8
9 # http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
10 add_header X-Content-Type-Options "nosniff";
11
12 # https://wiki.mozilla.org/Security/Features/XSS_Filter
13 # http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx
14 add_header X-XSS-Protection "1; mode=block";
把第三行:
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:;";
前面加#号注释。
改完后:
1 # Content Security Policy (CSP)
2 # https://www.owasp.org/index.php/Content_Security_Policy
3 add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:;";
4
5 # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
6 #add_header X-Frame-Options "SAMEORIGIN";
7 add_header X-Frame-Options "ALLOW-FROM http://$host";
8
9 # http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
10 add_header X-Content-Type-Options "nosniff";
11
12 # https://wiki.mozilla.org/Security/Features/XSS_Filter
13 # http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx
14 add_header X-XSS-Protection "1; mode=block";
但是,由于shellinabox的web client是https界面,第一次打开,还是需要先点设置下的『web client』图标,先确认https界面提示,然后才能在iframe中打开。
如果https加了证书的应该就不需要。