send_frame_options_header()

查看官方原文 ↗

💡 云策文档标注

概述

send_frame_options_header() 函数用于发送 HTTP 头，限制页面在 iframe 中的渲染，增强安全性。

关键要点

发送 X-Frame-Options: SAMEORIGIN 头，限制页面只能被同源 iframe 加载。
发送 Content-Security-Policy: frame-ancestors 'self'; 头，提供更现代的 iframe 限制方式。
仅在 headers_sent() 返回 false 时执行，避免重复发送头。
函数自 WordPress 3.1.3 版本引入。

注意事项

如需修改此行为，建议使用 .htaccess 文件而非直接修改函数，例如添加 Header always unset X-Frame-Options。

📄 原文内容

Sends a HTTP header to limit rendering of pages to same origin iframes.

Description

Source

function send_frame_options_header() {
	if ( ! headers_sent() ) {
		header( 'X-Frame-Options: SAMEORIGIN' );
		header( "Content-Security-Policy: frame-ancestors 'self';" );
	}
}

View all references View on Trac View on GitHub

Changelog

Version	Description
3.1.3	Introduced.

User Contributed Notes

Skip to note 2 content

esquire900

6 years ago

You must log in to vote on the helpfulness of this noteVote results for this note: 0You must log in to vote on the helpfulness of this note

For those who would like to change this behavior, try using .htaccess instead of modifying this function directly, i.e.

Header always unset X-Frame-Options

Log in to add feedback

云策 WordPress 开发者社区

函数文档